This is an automated email from the ASF dual-hosted git repository. wglass pushed a commit to branch security-news-update in repository https://gitbox.apache.org/repos/asf/velocity-site.git
commit a3096bb25b2aebf1ebdefeba8eafc8cd7593277f Author: Will Glass-Husain <[email protected]> AuthorDate: Tue Mar 9 23:19:02 2021 -0800 CVE announcement --- src/content/news.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/src/content/news.xml b/src/content/news.xml index a6b8960..b775d03 100644 --- a/src/content/news.xml +++ b/src/content/news.xml @@ -2,6 +2,55 @@ <news xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns="http://velocity.apache.org/NEWS/1.0.0"; xsi:schemaLocation="http://velocity.apache.org/NEWS/1.0.0 http://velocity.apache.org/site/tools/velocity-site-news/xsd/news-1.0.0.xsd";> <items> + <item id="CVE-2020-13936"> + <date>2021-03-09</date> + <headline>Security Advisory for Velocity Engine - Velocity Sandbox Bypass - CVE-2020-13936</headline> + <categories> + <category>velocity</category> + <category>engine</category> + </categories> + <text><![CDATA[ + PROBLEM: + + An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. + + This issue has been assigned CVE-2020-13936. + + WORKAROUND: + + Applications using Apache Velocity that allow untrusted users to upload templates should upgrade to version 2.3. This version adds additional default restrictions on what methods/properties can be accessed in a template. + + ACKNOWLEDGEMENTS: + This issue was discovered by Alvaro Munoz [email protected] of Github Security Labs and was originally reported as GHSL-2020-048. + ]]></text> + </item> + + <item id="CVE-2020-13959"> + <date>2021-03-09</date> + <headline>Security Advisory for Velocity tools - XSS Vulnerability - CVE-2020-13959</headline> + <categories> + <category>velocity</category> + <category>tools</category> + </categories> + <text><![CDATA[ + PROBLEM: + + The default error page for VelocityView reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. + + XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks. + + This issue has been assigned CVE-2020-13959. + + WORKAROUND: + + Applications based on Apache Velocity Tools should upgrade to version 3.1. This version escapes the reflected text on the default error page, preventing potential javascript execution. + + ACKNOWLEDGEMENTS: + + This issue was reported and a patch was submitted by Jackson Henry, member of Sakura Samurai. + ]]></text> + </item> + <item id="tools31"> <date>2021-02-27</date> <headline>Velocity Tools 3.1 released</headline>
