You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/12/10 10:11:00 UTC

[jira] [Assigned] (SOLR-15844) High security vulnerability in Apache Velocity (+2) - CVE-2020-13936 (+1) bundled with Solr

     [ https://issues.apache.org/jira/browse/SOLR-15844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Høydahl reassigned SOLR-15844:
----------------------------------

    Assignee: Jan Høydahl

> High security vulnerability in Apache Velocity (+2) - CVE-2020-13936 (+1) bundled with Solr
> -------------------------------------------------------------------------------------------
>
>                 Key: SOLR-15844
>                 URL: https://issues.apache.org/jira/browse/SOLR-15844
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 8.11
>            Reporter: wcmrnd1
>            Assignee: Jan Høydahl
>            Priority: Blocker
>             Fix For: 8.11.1
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Latest Version of Solr 8.11 bundles Apache Velocity 2.0 jar that has the following vulnerabilities:
>  
> h1. Vulnerability Details
> h2. CVE-2020-13936
> *Vulnerability Published:* 2021-03-10 03:15 EST
> *Vulnerability Updated:* 2021-09-23 08:21 EDT
> *CVSS Score:* {color:#FF0000}8.8{color} (overall), {color:#FF0000}8.8{color} (base)
> {*}Summary{*}: An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
> {*}Solution{*}: N/A
> {*}Workaround{*}: N/A
> h2. BDSA-2021-0710
> *Vulnerability Published:* 2021-03-22 12:01 EDT
> *Vulnerability Updated:* 2021-11-08 09:16 EST
> *CVSS Score:* {color:#FF0000}7.9{color} (overall), {color:#FF0000}8.8{color} (base)
> {*}Summary{*}: Apache Velocity is vulnerable to remote code execution (RCE) and arbitrary command execution due to how the SecureUberspector functionality does not sufficiently prevent access to dangerous classes and packages.
> An attacker with the ability to modify Velocity templates could use this issue to execute arbitrary Java code or system commands with the privileges of the account running the Servlet container.
> {*}Solution{*}: Fixed in [*2.3-rc1*|https://github.com/apache/velocity-engine/releases/tag/2.3-RC1] by [this|https://github.com/apache/velocity-engine/commit/f355cec739d4e705e541a149ff2d8806ed565401] commit.
> The latest stable releases are available [here|https://velocity.apache.org/download.cgi].
> {*}Workaround{*}: N/A



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org