An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2021-03-10T08:00:19
Updated: 2024-08-04T12:32:14.319Z
Reserved: 2020-06-08T00:00:00
Link: CVE-2020-13936
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-03-10T08:15:14.103
Modified: 2024-11-21T05:02:11.127
Link: CVE-2020-13936
Redhat