Resolution: Not A Bug
Affects Version/s: 1.7
Fix Version/s: None
I was checking this vulnerability for struts against velocity and it looks like it may apply here also.
When I use the code on my template:
$model.class.getClassLoader() I get the following:
WebappClassLoader context: /events delegate: false repositories: /WEB-INF/classes/ ----------> Parent Classloader: org.apache.catalina.loader.StandardClassLoader@47711479
I am not sure on what type of manipulation was used in the vulnerability, but on struts, this type of response has been blocked.