Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2020-13936

Опубликовано: 10 мар. 2021
Источник: nvd
CVSS3: 8.8
CVSS2: 9
EPSS Средний

Описание

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:velocity_engine:*:*:*:*:*:*:*:*
Версия до 2.3 (исключая)
cpe:2.3:a:apache:wss4j:2.3.1:*:*:*:*:*:*:*
Конфигурация 2
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_default_management:*:*:*:*:*:*:*:*
Версия от 2.3.0 (включая) до 2.4.1 (включая)
cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_loans_servicing:2.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*
Версия от 2.3.0 (включая) до 2.4.1 (включая)
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_office_cloud_service:16.0.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_office_cloud_service:17.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_office_cloud_service:18.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_office_cloud_service:19.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_office_cloud_service:20.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*

EPSS

Процентиль: 95%
0.16401
Средний

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

ubuntu логотип

CVE-2020-13936

CVSS3: 8.8
ubuntu
почти 5 лет назад

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

redhat логотип

CVE-2020-13936

CVSS3: 8.8
redhat
почти 5 лет назад

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

debian логотип

CVE-2020-13936

CVSS3: 8.8
debian
почти 5 лет назад

An attacker that is able to modify Velocity templates may execute arbi ...

suse-cvrf логотип

openSUSE-SU-2021:0447-1

suse-cvrf
почти 5 лет назад

Security update for velocity

suse-cvrf логотип

SUSE-SU-2025:0719-1

suse-cvrf
12 месяцев назад

Recommended update for Maven

EPSS

Процентиль: 95%
0.16401
Средний

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

NVD-CWE-noinfo