openSUSE-SU-2021:0447-1

Опубликовано: 19 мар. 2021

Источник: suse-cvrf

Описание

Security update for velocity

This update for velocity fixes the following issues:

CVE-2020-13936: Fixed an arbitrary code execution when attacker is able to modify templates (bsc#1183360).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Список пакетов

openSUSE Leap 15.2

velocity-1.7-lp152.5.3.1

velocity-demo-1.7-lp152.5.3.1

velocity-javadoc-1.7-lp152.5.3.1

velocity-manual-1.7-lp152.5.3.1

Ссылки

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X7H6XAK2KQMJUKMVVIRDA5YQLUSPV5YO/
E-Mail link for openSUSE-SU-2021:0447-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1183360
SUSE Bug 1183360
https://www.suse.com/security/cve/CVE-2020-13936/
SUSE CVE CVE-2020-13936 page

Описание

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Затронутые продукты

openSUSE Leap 15.2:velocity-1.7-lp152.5.3.1

openSUSE Leap 15.2:velocity-demo-1.7-lp152.5.3.1

openSUSE Leap 15.2:velocity-javadoc-1.7-lp152.5.3.1

openSUSE Leap 15.2:velocity-manual-1.7-lp152.5.3.1

Ссылки

https://www.suse.com/security/cve/CVE-2020-13936.html
CVE-2020-13936
https://bugzilla.suse.com/1183360
SUSE Bug 1183360

openSUSE-SU-2021:0447-1

Описание

Список пакетов

openSUSE Leap 15.2

Ссылки

Уязвимость: CVE-2020-13936

Описание

Затронутые продукты

Ссылки