CVE-2020-13936
Remote Code Execution vulnerability in org.apache.velocity:velocity-engine-parent
What is CVE-2020-13936 About?
Apache Velocity Engine versions up to 2.2 are vulnerable to remote code execution if an attacker can modify Velocity templates. This allows arbitrary Java code or system commands to be executed with the same privileges as the servlet container, posing a critical risk.
Affected Software
- org.apache.velocity:velocity-engine-parent
- <2.3
- org.apache.velocity:velocity
- <=1.7
Technical Details
Apache Velocity Engine versions up to 2.2 are susceptible to remote code execution (RCE) if an attacker gains the ability to modify or upload Velocity templates. The Velocity template engine allows for dynamic content generation, and its scripting capabilities, when exposed without proper sandboxing or restrictions, can be abused. Specifically, if an attacker can inject malicious code into a template, that code will be executed on the server when the template is rendered. This execution occurs with the privileges of the account running the servlet container, allowing for arbitrary Java code execution through template directives or direct system command execution, circumventing application security measures.
What is the Impact of CVE-2020-13936?
Successful exploitation may allow attackers to execute arbitrary code or system commands on the server, leading to complete system compromise, unauthorized data access, or denial of service.
What is the Exploitability of CVE-2020-13936?
Exploitation of this vulnerability requires an attacker to have the ability to modify or upload Velocity templates. This often implies some form of authenticated access or a prior vulnerability (e.g., file upload or directory traversal). The complexity of crafting malicious templates is low to moderate, given the powerful capabilities of Velocity. Authentication to modify templates is usually a prerequisite, making this primarily a privilege escalation or post-exploitation vulnerability, though it could be leveraged remotely if a template upload function is accessible. The risk factors that increase exploitation likelihood include applications allowing untrusted users to upload or modify templates, insufficient input validation on template content, or a lack of sandboxing for the Velocity engine.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-13936?
Available Upgrade Options
- org.apache.velocity:velocity-engine-parent
- <2.3 → Upgrade to 2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/reab5978b54a9f4c078402161e30a89c42807b198814acadbe6c862c7%40%3Cdev.ws.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/re8e7482fe54d289fc0229e61cc64947b63b12c3c312e9f25bf6f3b8c%40%3Cdev.ws.apache.org%3E
- https://security.gentoo.org/glsa/202107-52
- https://lists.apache.org/thread.html/rbee7270556f4172322936b5ecc9fabf0c09f00d4fa56c9de1963c340%40%3Cdev.ws.apache.org%3E
- https://lists.apache.org/thread.html/r3ea4c4c908505b20a4c268330dfe7188b90c84dcf777728d02068ae6@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882%40%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rd2a89e17e8a9b451ce655f1a34117752ea1d18a22ce580d8baa824fd@%3Ccommits.druid.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00019.html
- https://lists.apache.org/thread.html/rd7e865c87f9043c21d9c1fd9d4df866061d9a08cfc322771160d8058@%3Cdev.ws.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-13936?
Similar Vulnerabilities: CVE-2017-12613 , CVE-2018-13271 , CVE-2019-0193 , CVE-2020-1935 , CVE-2021-24713
