An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
12 May 2022, 14:34
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
First Time |
Oracle communications Network Integrity
Oracle hospitality Token Proxy Service Oracle retail Xstore Office Cloud Service |
|
CPE | cpe:2.3:a:oracle:retail_xstore_office_cloud_service:17.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_office_cloud_service:20.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_office_cloud_service:19.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_office_cloud_service:18.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_office_cloud_service:16.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:* |
20 Apr 2022, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Mar 2022, 16:52
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory | |
First Time |
Oracle retail Service Backbone
Oracle utilities Testing Accelerator Oracle banking Deposits And Lines Of Credit Servicing Oracle Oracle retail Integration Bus Oracle banking Loans Servicing Oracle banking Party Management Oracle retail Order Broker Oracle banking Enterprise Default Management Oracle communications Cloud Native Core Policy Oracle banking Platform |
|
CPE | cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_default_management:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_loans_servicing:2.12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:* |
07 Feb 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Sep 2021, 12:21
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/r7f209b837217d2a0fe5977fb692e7f15d37fa5de8214bcdc4c21d9a7@%3Ccommits.turbine.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r39de20c7e9c808b1f96790875d33e58c9c0aabb44fd9227e7b3dc5da@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r17cb932fab14801b14e5b97a7f05192f4f366ef260c10d4a8dba8ac9@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E - Mailing List, Vendor Advisory | |
References | (GENTOO) https://security.gentoo.org/glsa/202107-52 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r293284c6806c73f51098001ea86a14271c39f72cd76af9e946d9d9ad@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r4cd59453b65d4ac290fcb3b71fdf32b4f1f8989025e89558deb5a245@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rf7d369de88dc88a1347006a3323b3746d849234db40a8edfd5ebc436@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory |
31 Aug 2021, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Aug 2021, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Apr 2021, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Mar 2021, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Mar 2021, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Mar 2021, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Mar 2021, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
24 Mar 2021, 01:09
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.apache.org/thread.html/rd2a89e17e8a9b451ce655f1a34117752ea1d18a22ce580d8baa824fd@%3Ccommits.druid.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rbee7270556f4172322936b5ecc9fabf0c09f00d4fa56c9de1963c340@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/reab5978b54a9f4c078402161e30a89c42807b198814acadbe6c862c7@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/re8e7482fe54d289fc0229e61cc64947b63b12c3c312e9f25bf6f3b8c@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rd7e865c87f9043c21d9c1fd9d4df866061d9a08cfc322771160d8058@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r0bc98e9cd080b4a13b905c571b9bed87e1a0878d44dbf21487c6cca4@%3Cdev.santuario.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/03/msg00019.html - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/re641197d204765130618086238c73dd2ce5a3f94b33785b587d72726@%3Cdev.ws.apache.org%3E - Mailing List, Vendor Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:apache:wss4j:2.3.1:*:*:*:*:*:*:* |
23 Mar 2021, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Mar 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Mar 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Mar 2021, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
18 Mar 2021, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Mar 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Mar 2021, 02:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Mar 2021, 16:19
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 9.0
v3 : 8.8 |
CPE | cpe:2.3:a:apache:velocity_engine:*:*:*:*:*:*:*:* | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2021/03/10/1 - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a@%3Cuser.velocity.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r3ea4c4c908505b20a4c268330dfe7188b90c84dcf777728d02068ae6@%3Cannounce.apache.org%3E - Mailing List, Vendor Advisory | |
CWE | NVD-CWE-noinfo |
10 Mar 2021, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Mar 2021, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-03-10 08:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-13936
Mitre link : CVE-2020-13936
CVE.ORG link : CVE-2020-13936
JSON object : View
Products Affected
debian
- debian_linux
oracle
- retail_order_broker
- utilities_testing_accelerator
- retail_integration_bus
- communications_cloud_native_core_policy
- retail_service_backbone
- banking_platform
- banking_enterprise_default_management
- banking_party_management
- hospitality_token_proxy_service
- communications_network_integrity
- retail_xstore_office_cloud_service
- banking_deposits_and_lines_of_credit_servicing
- banking_loans_servicing
apache
- wss4j
- velocity_engine
CWE