What is CVE-2020-13936?

CVE-2020-13936 is a high-severity vulnerability in Apache Velocity_engine. CVSS score: 8.8/10. Published 2021-03-10.

How severe is CVE-2020-13936?

High severity. CVSS v3 base score is 8.8 out of 10.

Is CVE-2020-13936 known to be exploited?

16 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Velocity_engine

CVE-2020-13936

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted…

EPSS: 0.227 (97.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Apache Velocity_engine
Apache Wss4j — versions 2.3.1
Apache Software Foundation Velocity Engine — versions Apache Velocity Engine
Oracle Banking_deposits_and_lines_of_credit_servicing — versions 2.12.0
Oracle Banking_enterprise_default_management — versions 2.6.2, 2.7.1, 2.10.0
Oracle Banking_loans_servicing — versions 2.12.0
Oracle Banking_party_management — versions 2.7.0
Oracle Banking_platform — versions 2.6.2, 2.7.1
Oracle Communications_cloud_native_core_policy — versions 1.14.0
Oracle Communications_network_integrity — versions 7.3.6

Public proof-of-concept exploits

References

security@apache.org (Mailing List, x_refsource_MISC, Vendor Advisory)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2020-13936?: CVE-2020-13936 is a high-severity vulnerability in Apache Velocity_engine. CVSS score: 8.8/10. Published 2021-03-10.
How severe is CVE-2020-13936?: High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2020-13936 known to be exploited?: 16 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.