[ https://issues.apache.org/jira/browse/SOLR-15844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Høydahl updated SOLR-15844: ------------------------------- Summary: Upgrade Velocity to v2.3 (was: High security vulnerability in Apache Velocity (+2) - CVE-2020-13936 (+1) bundled with Solr) > Upgrade Velocity to v2.3 > ------------------------ > > Key: SOLR-15844 > URL: https://issues.apache.org/jira/browse/SOLR-15844 > Project: Solr > Issue Type: Bug > Affects Versions: 8.11 > Reporter: wcmrnd1 > Assignee: Jan Høydahl > Priority: Blocker > Fix For: 8.11.1 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Latest Version of Solr 8.11 bundles Apache Velocity 2.0 jar that has the > following vulnerabilities: > > h1. Vulnerability Details > h2. CVE-2020-13936 > *Vulnerability Published:* 2021-03-10 03:15 EST > *Vulnerability Updated:* 2021-09-23 08:21 EDT > *CVSS Score:* {color:#FF0000}8.8{color} (overall), {color:#FF0000}8.8{color} > (base) > {*}Summary{*}: An attacker that is able to modify Velocity templates may > execute arbitrary Java code or run arbitrary system commands with the same > privileges as the account running the Servlet container. This applies to > applications that allow untrusted users to upload/modify velocity templates > running Apache Velocity Engine versions up to 2.2. > {*}Solution{*}: N/A > {*}Workaround{*}: N/A > h2. BDSA-2021-0710 > *Vulnerability Published:* 2021-03-22 12:01 EDT > *Vulnerability Updated:* 2021-11-08 09:16 EST > *CVSS Score:* {color:#FF0000}7.9{color} (overall), {color:#FF0000}8.8{color} > (base) > {*}Summary{*}: Apache Velocity is vulnerable to remote code execution (RCE) > and arbitrary command execution due to how the SecureUberspector > functionality does not sufficiently prevent access to dangerous classes and > packages. > An attacker with the ability to modify Velocity templates could use this > issue to execute arbitrary Java code or system commands with the privileges > of the account running the Servlet container. > {*}Solution{*}: Fixed in > [*2.3-rc1*|https://github.com/apache/velocity-engine/releases/tag/2.3-RC1] by > [this|https://github.com/apache/velocity-engine/commit/f355cec739d4e705e541a149ff2d8806ed565401] > commit. > The latest stable releases are available > [here|https://velocity.apache.org/download.cgi]. > {*}Workaround{*}: N/A -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org