Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775248 (CVE-2020-13936) - <dev-java/velocity-2.3: multiple vulnerabilities (CVE-2020-13936)
Summary: <dev-java/velocity-2.3: multiple vulnerabilities (CVE-2020-13936)
Status: IN_PROGRESS
Alias: CVE-2020-13936
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [stable?]
Keywords: PullRequest
Depends on: CVE-2021-29425 736962 785772
Blocks: 784065
  Show dependency tree
 
Reported: 2021-03-10 13:21 UTC by John Helmert III
Modified: 2021-04-27 18:24 UTC (History)
2 users (show)

See Also:
Package list:
dev-java/velocity-2.3 *
Runtime testing required: ---
nattka: sanity-check-


Attachments
velocity-2.3.ebuild (velocity-2.3.ebuild,2.09 KB, text/plain)
2021-04-05 16:53 UTC, Volkmar W. Pogatzki
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-10 13:21:40 UTC
CVE-2020-13936 (https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E):

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

CVE-2020-13959 (https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E):

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.


Please bump to 3.1.
Comment 1 Volkmar W. Pogatzki 2021-04-05 16:53:08 UTC
Created attachment 697773 [details]
velocity-2.3.ebuild

(In reply to John Helmert III from comment #0)
> CVE-2020-13936
> [...]
> allow untrusted users to upload/modify velocity templates running Apache
> Velocity Engine versions up to 2.2.
> 
Upgrading to velocity-engine-2.3 needs
* commons-io-2.8.0
* hsqldb-2.5.1
(See attached velocity-2.3.ebuild)
Comment 2 Larry the Git Cow gentoo-dev 2021-04-25 15:23:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71aa218c86852f9b6b3891ae33bb93445053dc8d

commit 71aa218c86852f9b6b3891ae33bb93445053dc8d
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-04-17 20:23:16 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-25 15:23:46 +0000

    dev-java/velocity: bump to 2.3
    
    Bug: https://bugs.gentoo.org/775248
    
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/20429
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/velocity/Manifest            |   1 +
 dev-java/velocity/velocity-2.3.ebuild | 144 ++++++++++++++++++++++++++++++++++
 2 files changed, 145 insertions(+)
Comment 3 John Helmert III gentoo-dev Security 2021-04-25 23:55:35 UTC
Now that I look closer I see CVE-2020-13959 doesn't apply to dev-java/velocity, so thank you for the bump and please stabilize when ready!
Comment 4 NATTkA bot gentoo-dev 2021-04-26 00:00:28 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-04-26 05:16:29 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-04-26 05:20:27 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-04-26 19:08:33 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-04-26 19:12:39 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-04-27 18:12:38 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-04-27 18:24:32 UTC
Unable to check for sanity:

> dependent bug #782568 is missing keywords