CVE-2020-13936 security vulnerability in org.apache.velocity_velocity

arthurpapanyan · July 14, 2022, 5:34pm

Our security scanner reports lib org.apache.velocity_velocity which is used in your sources as vulnerable.
This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

CVE Description: NVD - cve-2020-13936

Package: search-guard-7/velocity-1.7.jar

Affected Versions: up to 2.2

Could you please update library version to fix this issue, or confirm that you don’t allow users to upload/modify velocity templates at all.

jkressin · July 15, 2022, 2:43pm

Hi - Velocity is used internally by the SAML library we ship. A user cannot change or upload any Velocity templates, so Search Guard is unaffected by this CVE. I will file an issue nonetheless to see if we can upgrade the SAML libs.

arthurpapanyan · July 18, 2022, 12:24pm

Hi. Thank you very much for response.

Topic		Replies	Views
Seach Guard and CVE-2022-42889 Search Guard	2	628	October 25, 2022
Vulnerability detected on Search-guard -7 Search Guard	8	169	September 10, 2024
Is SearchGuard Affected by CVE-2020-2653 Search Guard	2	497	March 30, 2020
Apache CXF < 3.5.8, 3.6.x < 3.6.3, 4.0.x < 4.0.4 SSRF Vulnerability on SearchGuard plugins Search Guard	2	358	September 10, 2024
CVE-2022-46364 \| GHSA-x3x3-qwjq-8gj4 Security Issue on SearchGuard Search Guard	1	613	February 20, 2023

CVE-2020-13936 security vulnerability in org.apache.velocity_velocity

Related topics