CVE-2020-13936 security vulnerability in org.apache.velocity_velocity

arthurpapanyan · July 14, 2022, 5:34pm

Our security scanner reports lib org.apache.velocity_velocity which is used in your sources as vulnerable.
This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

CVE Description: NVD - cve-2020-13936

Package: search-guard-7/velocity-1.7.jar

Affected Versions: up to 2.2

Could you please update library version to fix this issue, or confirm that you don’t allow users to upload/modify velocity templates at all.

jkressin · July 15, 2022, 2:43pm

Hi - Velocity is used internally by the SAML library we ship. A user cannot change or upload any Velocity templates, so Search Guard is unaffected by this CVE. I will file an issue nonetheless to see if we can upgrade the SAML libs.

arthurpapanyan · July 18, 2022, 12:24pm

Hi. Thank you very much for response.

system · August 8, 2022, 12:25pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is there a technical reason to forbid this action: "cluster:admin/snapshot/restore"? Search Guard	1	369	August 17, 2016
Sample config for search-guard-ssl to search-guard transition Search Guard	6	371	October 15, 2018
msearch error handling Search Guard	3	578	October 24, 2016
Jackson-databind-2653 vulnerability Search Guard	3	533	April 24, 2020
sgadmin opens 14 tcp sessions with 50 ms. Please help. Search Guard	0	338	March 30, 2018

CVE-2020-13936 security vulnerability in org.apache.velocity_velocity

Related Topics