CVE-2020-13936 security vulnerability in org.apache.velocity_velocity

Our security scanner reports lib org.apache.velocity_velocity which is used in your sources as vulnerable.
This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

CVE Description: NVD - cve-2020-13936

Package: search-guard-7/velocity-1.7.jar

Affected Versions: up to 2.2

Could you please update library version to fix this issue, or confirm that you don’t allow users to upload/modify velocity templates at all.

Hi - Velocity is used internally by the SAML library we ship. A user cannot change or upload any Velocity templates, so Search Guard is unaffected by this CVE. I will file an issue nonetheless to see if we can upgrade the SAML libs.

Hi. Thank you very much for response.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.