Security update for velocity SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0447-1 Final 1 1 2021-03-19T11:12:16Z current 2021-03-19T11:12:16Z 2021-03-19T11:12:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for velocity This update for velocity fixes the following issues: - CVE-2020-13936: Fixed an arbitrary code execution when attacker is able to modify templates (bsc#1183360). This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-447 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X7H6XAK2KQMJUKMVVIRDA5YQLUSPV5YO/ E-Mail link for openSUSE-SU-2021:0447-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1183360 SUSE Bug 1183360 https://www.suse.com/security/cve/CVE-2020-13936/ SUSE CVE CVE-2020-13936 page openSUSE Leap 15.2 velocity-1.7-lp152.5.3.1 velocity-demo-1.7-lp152.5.3.1 velocity-javadoc-1.7-lp152.5.3.1 velocity-manual-1.7-lp152.5.3.1 velocity-1.7-lp152.5.3.1 as a component of openSUSE Leap 15.2 velocity-demo-1.7-lp152.5.3.1 as a component of openSUSE Leap 15.2 velocity-javadoc-1.7-lp152.5.3.1 as a component of openSUSE Leap 15.2 velocity-manual-1.7-lp152.5.3.1 as a component of openSUSE Leap 15.2 An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. CVE-2020-13936 openSUSE Leap 15.2:velocity-1.7-lp152.5.3.1 openSUSE Leap 15.2:velocity-demo-1.7-lp152.5.3.1 openSUSE Leap 15.2:velocity-javadoc-1.7-lp152.5.3.1 openSUSE Leap 15.2:velocity-manual-1.7-lp152.5.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X7H6XAK2KQMJUKMVVIRDA5YQLUSPV5YO/ https://www.suse.com/security/cve/CVE-2020-13936.html CVE-2020-13936 https://bugzilla.suse.com/1183360 SUSE Bug 1183360