Vulnerability Name:

CVE-2020-13936 (CCN-197993)

Assigned:2020-06-08
Published:2021-03-09
Updated:2022-05-12
Summary:An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2020-13936

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20210309 CVE-2020-13936: Velocity Sandbox Bypass

Source: XF
Type: UNKNOWN
apache-cve202013936-code-exec(197993)

Source: CONFIRM
Type: Mailing List, Vendor Advisory
N/A

Source: MLIST
Type: Mailing List, Vendor Advisory
[velocity-user] 20210310 CVE-2020-13936: Velocity Sandbox Bypass

Source: MLIST
Type: Mailing List, Vendor Advisory
[santuario-dev] 20210323 [GitHub] [santuario-xml-security-java] dependabot[bot] opened a new pull request #33: Bump dependency-check-maven from 6.1.2 to 6.1.3

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210325 [jira] [Updated] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210331 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210324 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Vendor Advisory
[announce] 20210310 CVE-2020-13936: Velocity Sandbox Bypass

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210325 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Vendor Advisory
[activemq-users] 20210831 RE: Security issues

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[turbine-commits] 20210329 svn commit: r1888167 - /turbine/core/trunk/pom.xml

Source: MLIST
Type: Mailing List, Vendor Advisory
[activemq-users] 20210830 Security issues

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[velocity-commits] 20210310 [velocity-site] 01/01: CVE announcement

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210318 [jira] [Created] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Vendor Advisory
[druid-commits] 20210316 [GitHub] [druid] clintropolis opened a new pull request #11002: suppress CVE check for security fix

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210319 [jira] [Comment Edited] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210318 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210322 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210319 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Vendor Advisory
[ws-dev] 20210401 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210317 [SECURITY] [DLA 2595-1] velocity security update

Source: CCN
Type: oss-sec Mailing List, Tue, 9 Mar 2021 22:48:11 -0800
CVE-2020-13936: Velocity Sandbox Bypass

Source: GENTOO
Type: Third Party Advisory
GLSA-202107-52

Source: CCN
Type: Apache Web site
Apache Velocity

Source: CCN
Type: IBM Security Bulletin 6445703 (Spectrum Protect Plus)
Vulnerabilities in Apache and Node.js affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: CCN
Type: IBM Security Bulletin 6830243 (QRadar User Behavior Analytics)
Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics

Source: CCN
Type: IBM Security Bulletin 6967183 (Cloud Pak System Software Suite)
Multiple vulnerabilities in Open Source software used by Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6967333 (QRadar SIEM)
IBM QRadar SIEM includes components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7001793 (App Connect Enterprise Toolkit)
Multiple vulnerabilities affect the IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:velocity_engine:*:*:*:*:*:*:*:* (Version < 2.3)
  • OR cpe:/a:apache:wss4j:2.3.1:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_deposits_and_lines_of_credit_servicing:2.12.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_default_management:*:*:*:*:*:*:*:* (Version >= 2.3.0 and <= 2.4.1)
  • OR cpe:/a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_loans_servicing:2.12.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:*:*:*:*:*:*:*:* (Version >= 2.3.0 and <= 2.4.1)
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_office_cloud_service:16.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_office_cloud_service:17.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_office_cloud_service:18.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_office_cloud_service:19.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_office_cloud_service:20.0.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:oracle:retail_order_broker_cloud_service:16.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8069
    P
    		velocity-1.7-150200.3.7.3 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:8065
    P
    		snakeyaml-1.33-150200.3.12.4 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:780
    P
    		Security update for snakeyaml (Important)
    2022-09-26
    oval:org.opensuse.security:def:3430
    P
    		apache2-2.4.23-29.43.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95060
    P
    		velocity-1.7-3.3.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94950
    P
    		libjavascriptcoregtk-4_1-0-2.36.0-150400.2.13 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:101663
    P
    		Security update for libqt5-qtbase (Important)
    2022-03-15
    oval:org.opensuse.security:def:102239
    P
    		Security update for qemu (Low)
    2022-01-25
    oval:org.opensuse.security:def:113566
    P
    		velocity-custom-parser-example-2.2-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:113565
    P
    		velocity-1.7-9.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:4541
    P
    		Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP5) (Important)
    2021-12-14
    oval:org.opensuse.security:def:106952
    P
    		velocity-1.7-9.3 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:1956
    P
    		velocity-1.7-3.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63045
    P
    		velocity-1.7-3.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72764
    P
    		velocity-1.7-3.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:111280
    P
    		Security update for velocity (Important)
    2021-03-19
    oval:org.opensuse.security:def:65630
    P
    		Security update for velocity (Important)
    2021-03-16
    oval:org.opensuse.security:def:97291
    P
    		Security update for velocity (Important)
    2021-03-16
    oval:org.opensuse.security:def:74698
    P
    		Security update for velocity (Important)
    2021-03-16
    oval:org.opensuse.security:def:117843
    P
    		Security update for velocity (Important)
    2021-03-16
    oval:org.opensuse.security:def:67067
    P
    		Security update for velocity (Important)
    2021-03-16
    oval:org.opensuse.security:def:76135
    P
    		Security update for velocity (Important)
    2021-03-16
    oval:org.opensuse.security:def:108329
    P
    		Security update for velocity (Important)
    2021-03-16
    oval:org.opensuse.security:def:5978
    P
    		Security update for velocity (Important)
    2021-03-16
    oval:org.opensuse.security:def:108905
    P
    		Security update for velocity (Important)
    2021-03-16
    oval:org.opensuse.security:def:95526
    P
    		Security update for velocity (Important)
    2021-03-16
    BACK
    apache velocity engine *
    apache wss4j 2.3.1
    debian debian linux 9.0
    oracle retail order broker 16.0
    oracle banking platform 2.6.2
    oracle banking platform 2.7.1
    oracle communications network integrity 7.3.6
    oracle banking enterprise default management 2.12.0
    oracle banking enterprise default management 2.10.0
    oracle banking party management 2.7.0
    oracle utilities testing accelerator 6.0.0.2.2
    oracle utilities testing accelerator 6.0.0.3.1
    oracle utilities testing accelerator 6.0.0.1.1
    oracle banking deposits and lines of credit servicing 2.12.0
    oracle banking enterprise default management *
    oracle banking enterprise default management 2.6.2
    oracle banking enterprise default management 2.7.1
    oracle banking loans servicing 2.12.0
    oracle banking platform *
    oracle communications cloud native core policy 1.14.0
    oracle hospitality token proxy service 19.2
    oracle retail integration bus 19.0.1
    oracle retail service backbone 19.0.1
    oracle retail xstore office cloud service 16.0.6
    oracle retail xstore office cloud service 17.0.4
    oracle retail xstore office cloud service 18.0.3
    oracle retail xstore office cloud service 19.0.2
    oracle retail xstore office cloud service 20.0.1
    oracle retail order broker cloud service 16.0
    ibm spectrum protect plus 10.1.0
    oracle banking platform 2.6.2
    ibm qradar security information and event manager 7.4 -
    ibm spectrum protect plus 10.1.7