CVE-2020-13936: Apache Velocity Sandbox Bypass Vulnerability Alert

Velocity is a Java-based template engine. It permits anyone to use a simple yet powerful template language to reference objects defined in Java code. Recently, Apache Velocity discloses a remote code execution vulnerability (CVE-2020-13936) in Apache Velocity. An attacker who can modify the Velocity template can execute arbitrary Java code or run arbitrary system commands with the same permissions as the account running the Servlet container.

CVE-2020-13936

Affected version

  • Apache Velocity =< 2.2

Unaffected version

  • Apache Velocity >= 2.3

Solution

At present, the Apache Velocity has fixed the vulnerability in the new version, the user please upgrade the affected version to the unaffected version.