Google Git
Sign in
apache / velocity-site / refs/heads/security-news-update^! / .
commita3096bb25b2aebf1ebdefeba8eafc8cd7593277f[log] [tgz]
authorWill Glass-Husain <wglass@forio.com>Tue Mar 09 23:19:02 2021 -0800
committerWill Glass-Husain <wglass@forio.com>Tue Mar 09 23:19:02 2021 -0800
treeb6f5c0d63431240b6365e1d54b99c372f1ec0e8c
parentd0dc054de0bf2c65d68e1f2369ca234b0709cf55 [diff]
CVE announcement

diff --git a/src/content/news.xml b/src/content/news.xml
index a6b8960..b775d03 100644
--- a/src/content/news.xml
+++ b/src/content/news.xml

@@ -2,6 +2,55 @@
 
 <news xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://velocity.apache.org/NEWS/1.0.0" xsi:schemaLocation="http://velocity.apache.org/NEWS/1.0.0 http://velocity.apache.org/site/tools/velocity-site-news/xsd/news-1.0.0.xsd">
   <items>
+    <item id="CVE-2020-13936">
+        <date>2021-03-09</date>
+        <headline>Security Advisory for Velocity Engine - Velocity Sandbox Bypass - CVE-2020-13936</headline>
+        <categories>
+            <category>velocity</category>
+            <category>engine</category>
+        </categories>
+        <text><![CDATA[
+            PROBLEM:
+
+            An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
+
+            This issue has been assigned CVE-2020-13936.
+
+            WORKAROUND:
+
+            Applications using Apache Velocity that allow untrusted users to upload templates should upgrade to version 2.3. This version adds additional default restrictions on what methods/properties can be accessed in a template.
+
+            ACKNOWLEDGEMENTS:
+            This issue was discovered by Alvaro Munoz pwntester@github.com of Github Security Labs and was originally reported as GHSL-2020-048.
+      ]]></text>
+    </item>
+
+    <item id="CVE-2020-13959">
+        <date>2021-03-09</date>
+        <headline>Security Advisory for Velocity tools - XSS Vulnerability - CVE-2020-13959</headline>
+        <categories>
+            <category>velocity</category>
+            <category>tools</category>
+        </categories>
+        <text><![CDATA[
+            PROBLEM:
+
+            The default error page for VelocityView reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed.
+
+            XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
+
+            This issue has been assigned CVE-2020-13959.
+
+            WORKAROUND:
+
+            Applications based on Apache Velocity Tools should upgrade to version 3.1. This version escapes the reflected text on the default error page, preventing potential javascript execution.
+
+            ACKNOWLEDGEMENTS:
+            
+            This issue was reported and a patch was submitted by Jackson Henry, member of Sakura Samurai.
+      ]]></text>
+    </item>
+  
     <item id="tools31">
         <date>2021-02-27</date>
         <headline>Velocity Tools 3.1 released</headline>