[
https://issues.apache.org/jira/browse/VELOCITY-982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17876284#comment-17876284
]
John Tal commented on VELOCITY-982:
-----------------------------------
Also, per the original finding
[https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity/] they
exposed the vulnerability through java.script.ScriptEngineManager
> Velocity 2.x - Velocity.properties - Additional introspector.restrict.classes
> -----------------------------------------------------------------------------
>
> Key: VELOCITY-982
> URL: https://issues.apache.org/jira/browse/VELOCITY-982
> Project: Velocity
> Issue Type: Improvement
> Components: Build
> Affects Versions: 2.0, 2.1, 2.2, 2.3, 2.4.2
> Reporter: John Tal
> Priority: Major
>
> In Velocity.properties, the introspector.restrict.classes entries.
> I assume additions to this file in that section resolved for CVE-2020-13936
> (templating can interact with the system)? Please confirm what commits or
> classes, settings did indeed resolve CVE-2020-13936. We really need to know
> because we are stuck on 1.7 and need to fork/patch.
> Along these lines of further security hardening, aren't there more entries
> needed in the introspect.restrict.classes section such as:
> java.lang.ProcessBuilder
> java.lang.Reflect
> javax.management.MBeanServer
> java.net.Socket
> javax.script.ScriptEngine
>
> Finally, please confirm whether Velocity is largely in CVE patch mode only
> and is not really an active project given that there is much more talk today
> about Apache FreeMarker. Just trying to determine the level of support and
> engagement from the Apache Velocity maintainers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
