====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN157
_____________________________________________________________________

DATE                : 11/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Velocity versions prior to
                                                2.3.

=====================================================================
http://mail-archives.apache.org/mod_mbox/velocity-user/202103.mbox/%3cCADDz7ZtaNyZSLyLhFochzWFZxaknbsRMbMHzyriHL-Cn6suRvQ@mail.gmail.com%3e
http://mail-archives.apache.org/mod_mbox/velocity-user/202103.mbox/%3cCADDz7Zu71ZT-Wnv6NtRPp1ZVjhrwUd0yaAOk9B-77=taf245Qg@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-13936: Velocity Sandbox Bypass

Description:

An attacker that is able to modify Velocity templates may execute
arbitrary Java code or run arbitrary system commands with the same
privileges as the account running the Servlet container.  This applies
to applications that allow untrusted users to upload/modify velocity
templates running Apache Velocity Engine versions up to 2.2.

Mitigation:

Applications using Apache Velocity that allow untrusted users to
upload templates should upgrade to version 2.3.  This version adds
additional default restrictions on what methods/properties can be
accessed in a template.

Credit:

This issue was discovered by Alvaro Munoz pwntester () github com of
Github Security Labs and was originally reported as GHSL-2020-048.


_____________________________________________________________________

CVE-2020-13959: Velocity Tools XSS Vulnerability

Description:

The default error page for VelocityView reflects back the vm file that
was entered as part of the URL.  An attacker can set an XSS payload
file as this vm file in the URL which results in this payload being
executed.

XSS vulnerabilities allow attackers to execute arbitrary JavaScript in
the context of the attacked website and the attacked user. This can be
abused to steal session cookies, perform requests in the name of the
victim or for phishing attacks.

Mitigation:

Applications based on Apache Velocity Tools should upgrade to version
3.1.  This version escapes the reflected text on the default error
page, preventing potential javascript execution.

Credit:

This issue was reported and a patch was submitted by Jackson Henry,
member of Sakura Samurai.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================