OESA-2021-1157

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1157

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2021-1157.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2021-1157

Upstream

CVE-2020-13936

Published

2021-05-06T11:02:50Z

Modified

2025-08-12T05:05:11.547638Z

Summary

velocity security update

Details

Velocity is a Java-based template engine. It permits anyone to use the simple yet powerful template language to reference objects defined in Java code.

Security Fix(es):

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.(CVE-2020-13936)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / velocity

Package

Name: velocity
Purl: pkg:rpm/openEuler/velocity&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7-26.oe1

Ecosystem specific

{
    "noarch": [
        "velocity-1.7-26.oe1.noarch.rpm",
        "velocity-help-1.7-26.oe1.noarch.rpm"
    ],
    "src": [
        "velocity-1.7-26.oe1.src.rpm"
    ]
}