You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@velocity.apache.org by wg...@apache.org on 2021/03/10 07:19:30 UTC
[velocity-site] branch security-news-update created (now a3096bb)
This is an automated email from the ASF dual-hosted git repository.
wglass pushed a change to branch security-news-update
in repository https://gitbox.apache.org/repos/asf/velocity-site.git.
at a3096bb CVE announcement
This branch includes the following new commits:
new a3096bb CVE announcement
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[velocity-site] 01/01: CVE announcement
Posted by wg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
wglass pushed a commit to branch security-news-update
in repository https://gitbox.apache.org/repos/asf/velocity-site.git
commit a3096bb25b2aebf1ebdefeba8eafc8cd7593277f
Author: Will Glass-Husain <wg...@forio.com>
AuthorDate: Tue Mar 9 23:19:02 2021 -0800
CVE announcement
---
src/content/news.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/src/content/news.xml b/src/content/news.xml
index a6b8960..b775d03 100644
--- a/src/content/news.xml
+++ b/src/content/news.xml
@@ -2,6 +2,55 @@
<news xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://velocity.apache.org/NEWS/1.0.0" xsi:schemaLocation="http://velocity.apache.org/NEWS/1.0.0 http://velocity.apache.org/site/tools/velocity-site-news/xsd/news-1.0.0.xsd">
<items>
+ <item id="CVE-2020-13936">
+ <date>2021-03-09</date>
+ <headline>Security Advisory for Velocity Engine - Velocity Sandbox Bypass - CVE-2020-13936</headline>
+ <categories>
+ <category>velocity</category>
+ <category>engine</category>
+ </categories>
+ <text><![CDATA[
+ PROBLEM:
+
+ An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
+
+ This issue has been assigned CVE-2020-13936.
+
+ WORKAROUND:
+
+ Applications using Apache Velocity that allow untrusted users to upload templates should upgrade to version 2.3. This version adds additional default restrictions on what methods/properties can be accessed in a template.
+
+ ACKNOWLEDGEMENTS:
+ This issue was discovered by Alvaro Munoz pwntester@github.com of Github Security Labs and was originally reported as GHSL-2020-048.
+ ]]></text>
+ </item>
+
+ <item id="CVE-2020-13959">
+ <date>2021-03-09</date>
+ <headline>Security Advisory for Velocity tools - XSS Vulnerability - CVE-2020-13959</headline>
+ <categories>
+ <category>velocity</category>
+ <category>tools</category>
+ </categories>
+ <text><![CDATA[
+ PROBLEM:
+
+ The default error page for VelocityView reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed.
+
+ XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
+
+ This issue has been assigned CVE-2020-13959.
+
+ WORKAROUND:
+
+ Applications based on Apache Velocity Tools should upgrade to version 3.1. This version escapes the reflected text on the default error page, preventing potential javascript execution.
+
+ ACKNOWLEDGEMENTS:
+
+ This issue was reported and a patch was submitted by Jackson Henry, member of Sakura Samurai.
+ ]]></text>
+ </item>
+
<item id="tools31">
<date>2021-02-27</date>
<headline>Velocity Tools 3.1 released</headline>