[jira] [Created] (SOLR-15844) High security vulnerability in Apache Velocity (+2) - CVE-2020-13936 (+1) bundled with Solr

Thu, 09 Dec 2021 20:19:07 -0800 

Sandeep Srinath created SOLR-15844:
--------------------------------------

             Summary: High security vulnerability in Apache Velocity (+2) - 
CVE-2020-13936 (+1) bundled with Solr
                 Key: SOLR-15844
                 URL: https://issues.apache.org/jira/browse/SOLR-15844
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
            Reporter: Sandeep Srinath


Latest Version of Solr 8.11 bundles Apache Velocity 2.0 jar that has the 
following vulnerabilities:

 
h1. Vulnerability Details
h2. CVE-2020-13936

*Vulnerability Published:* 2021-03-10 03:15 EST
*Vulnerability Updated:* 2021-09-23 08:21 EDT
*CVSS Score:* {color:#FF0000}8.8{color} (overall), {color:#FF0000}8.8{color} 
(base)

{*}Summary{*}: An attacker that is able to modify Velocity templates may 
execute arbitrary Java code or run arbitrary system commands with the same 
privileges as the account running the Servlet container. This applies to 
applications that allow untrusted users to upload/modify velocity templates 
running Apache Velocity Engine versions up to 2.2.

{*}Solution{*}: N/A

{*}Workaround{*}: N/A
h2. BDSA-2021-0710

*Vulnerability Published:* 2021-03-22 12:01 EDT
*Vulnerability Updated:* 2021-11-08 09:16 EST
*CVSS Score:* {color:#FF0000}7.9{color} (overall), {color:#FF0000}8.8{color} 
(base)

{*}Summary{*}: Apache Velocity is vulnerable to remote code execution (RCE) and 
arbitrary command execution due to how the SecureUberspector functionality does 
not sufficiently prevent access to dangerous classes and packages.

An attacker with the ability to modify Velocity templates could use this issue 
to execute arbitrary Java code or system commands with the privileges of the 
account running the Servlet container.

{*}Solution{*}: Fixed in 
[*2.3-rc1*|https://github.com/apache/velocity-engine/releases/tag/2.3-RC1] by 
[this|https://github.com/apache/velocity-engine/commit/f355cec739d4e705e541a149ff2d8806ed565401]
 commit.

The latest stable releases are available 
[here|https://velocity.apache.org/download.cgi].

{*}Workaround{*}: N/A



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to