Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Invalid
-
None
-
None
-
None
-
None
Description
hello sir:
I noticed that velocity-core fixes CVE-2020-13936 https://github.com/apache/velocity-engine/pull/16/files, but follow content
"introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory"
be added in the velocity-engine-core/src/test/resources/oldproperties/velocity.properties file. I think this is a test file and wouldn't take effect at runtime.
As for the valid org\apache\velocity\runtime\defaults\velocity.properties file Has not been added to these blacklists, so in the velocity-tools-view framework ${req.getServletContext().getAttribute('org.apache.tomcat.InstanceManager').newInstance('javax.script.ScriptEngineManager').getEngineByName ('js').eval(xx) This payload is still valid, and the Velocity-tools-view does not enable SecureUberspector by default.
so I don’t know that writing this blacklist under the test file means that the application that calls velocity-core needs its own to add blacklists or is it because velocity-core forgot to add these blacklists to org\apache\velocity\runtime\defaults\velocity.properties, can this be considered a vulnerability?