CVE-2020-13936

Velocity Sandbox Bypass

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Un atacante que es capaz de modificar las plantillas de Velocity puede ejecutar código Java arbitrario o ejecutar comandos de sistema arbitrarios con los mismos privilegios que la cuenta que ejecuta el contenedor Servlet. Esto se aplica a las aplicaciones que permiten a usuarios no confiables cargar y modificar plantillas de velocidad que ejecutan versiones de Apache Velocity Engine versiones hasta la 2.2

A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: This issue was discovered by Alvaro Munoz pwntester@github.com of Github Security Labs and was originally reported as GHSL-2020-048.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-08 CVE Reserved
2021-03-10 CVE Published
2024-08-04 CVE Updated
2024-10-22 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (25)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/03/10/1	Mailing List
https://lists.apache.org/thread.html/r0bc98e9cd080b4a13b905c571b9bed87e1a0878d44dbf21487c6cca4%40%3Cdev.santuario.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r17cb932fab14801b14e5b97a7f05192f4f366ef260c10d4a8dba8ac9%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r293284c6806c73f51098001ea86a14271c39f72cd76af9e946d9d9ad%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r39de20c7e9c808b1f96790875d33e58c9c0aabb44fd9227e7b3dc5da%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r3ea4c4c908505b20a4c268330dfe7188b90c84dcf777728d02068ae6%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r4cd59453b65d4ac290fcb3b71fdf32b4f1f8989025e89558deb5a245%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328%40%3Cusers.activemq.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7f209b837217d2a0fe5977fb692e7f15d37fa5de8214bcdc4c21d9a7%40%3Ccommits.turbine.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882%40%3Cusers.activemq.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6%40%3Ccommits.velocity.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rbee7270556f4172322936b5ecc9fabf0c09f00d4fa56c9de1963c340%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd2a89e17e8a9b451ce655f1a34117752ea1d18a22ce580d8baa824fd%40%3Ccommits.druid.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd7e865c87f9043c21d9c1fd9d4df866061d9a08cfc322771160d8058%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re641197d204765130618086238c73dd2ce5a3f94b33785b587d72726%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re8e7482fe54d289fc0229e61cc64947b63b12c3c312e9f25bf6f3b8c%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/reab5978b54a9f4c078402161e30a89c42807b198814acadbe6c862c7%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf7d369de88dc88a1347006a3323b3746d849234db40a8edfd5ebc436%40%3Cdev.ws.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2021/03/msg00019.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07

URL	Date	SRC
https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E	2023-11-07
https://security.gentoo.org/glsa/202107-52	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-13936	2021-12-02
https://bugzilla.redhat.com/show_bug.cgi?id=1937440	2021-12-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Velocity Engine Search vendor "Apache" for product "Velocity Engine"				< 2.3 Search vendor "Apache" for product "Velocity Engine" and version " < 2.3"		-		Affected
Apache Search vendor "Apache"		Wss4j Search vendor "Apache" for product "Wss4j"				2.3.1 Search vendor "Apache" for product "Wss4j" and version "2.3.1"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Deposits And Lines Of Credit Servicing Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing"				2.12.0 Search vendor "Oracle" for product "Banking Deposits And Lines Of Credit Servicing" and version "2.12.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				>= 2.3.0 <= 2.4.1 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version " >= 2.3.0 <= 2.4.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.6.2 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.6.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.7.1 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.7.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.10.0 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.10.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management"				2.12.0 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.12.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Loans Servicing Search vendor "Oracle" for product "Banking Loans Servicing"				2.12.0 Search vendor "Oracle" for product "Banking Loans Servicing" and version "2.12.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Party Management Search vendor "Oracle" for product "Banking Party Management"				2.7.0 Search vendor "Oracle" for product "Banking Party Management" and version "2.7.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				>= 2.3.0 <= 2.4.1 Search vendor "Oracle" for product "Banking Platform" and version " >= 2.3.0 <= 2.4.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity"				7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6"		-		Affected
Oracle Search vendor "Oracle"		Hospitality Token Proxy Service Search vendor "Oracle" for product "Hospitality Token Proxy Service"				19.2 Search vendor "Oracle" for product "Hospitality Token Proxy Service" and version "19.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				19.0.1 Search vendor "Oracle" for product "Retail Integration Bus" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Order Broker Search vendor "Oracle" for product "Retail Order Broker"				16.0 Search vendor "Oracle" for product "Retail Order Broker" and version "16.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				19.0.1 Search vendor "Oracle" for product "Retail Service Backbone" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Office Cloud Service Search vendor "Oracle" for product "Retail Xstore Office Cloud Service"				16.0.6 Search vendor "Oracle" for product "Retail Xstore Office Cloud Service" and version "16.0.6"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Office Cloud Service Search vendor "Oracle" for product "Retail Xstore Office Cloud Service"				17.0.4 Search vendor "Oracle" for product "Retail Xstore Office Cloud Service" and version "17.0.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Office Cloud Service Search vendor "Oracle" for product "Retail Xstore Office Cloud Service"				18.0.3 Search vendor "Oracle" for product "Retail Xstore Office Cloud Service" and version "18.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Office Cloud Service Search vendor "Oracle" for product "Retail Xstore Office Cloud Service"				19.0.2 Search vendor "Oracle" for product "Retail Xstore Office Cloud Service" and version "19.0.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Office Cloud Service Search vendor "Oracle" for product "Retail Xstore Office Cloud Service"				20.0.1 Search vendor "Oracle" for product "Retail Xstore Office Cloud Service" and version "20.0.1"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.1.1 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.1.1"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.2.2 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.2.2"		-		Affected
Oracle Search vendor "Oracle"		Utilities Testing Accelerator Search vendor "Oracle" for product "Utilities Testing Accelerator"				6.0.0.3.1 Search vendor "Oracle" for product "Utilities Testing Accelerator" and version "6.0.0.3.1"		-		Affected