CVE-2020-13936

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-13936

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13936.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-13936

Aliases

GHSA-59j4-wjwp-mw9m

Downstream

DEBIAN-CVE-2020-13936

DLA-2595-1

OESA-2021-1157

RHSA-2021:2046

RHSA-2021:2047

RHSA-2021:2048

RHSA-2021:3656

RHSA-2021:3658

RHSA-2025:1746

RHSA-2025:1747

SUSE-SU-2021:0800-1

SUSE-SU-2022:3397-1

SUSE-SU-2022:3560-1

SUSE-SU-2025:0719-1

UBUNTU-CVE-2020-13936

USN-6281-1

openSUSE-SU-2021:0447-1

openSUSE-SU-2024:11495-1

openSUSE-SU-2024:11678-1

openSUSE-SU-2024:12308-1

Related

Published

2021-03-10T08:15:14Z

Modified

2025-08-09T20:01:27Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

References

Affected packages