[AMBARI-25805] Fix Ambari CVE velocity-1.7.jar - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.8.0
Component/s: None
Labels:
None

Description

CVE-2020-13936
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Attachments

Issue Links

links to

GitHub PR#3607

Activity

People

Assignee:: Himanshu Maurya

Reporter:: Himanshu Maurya

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 12/Dec/22 09:08

Updated:: 13/Dec/22 15:07

Resolved:: 13/Dec/22 05:58

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h