I. Overview

Apache Velocity officially disclosed a remote code execution vulnerability (CVE-2020-13936). An attacker who is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container.

Velocity is an open-source software project hosted by the Apache Software Foundation. It aims to ensure clean separation between the presentation tier and business tiers in a Web application (the model-view-controller design pattern).

If you are an Apache Velocity user, check your service and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://velocity.apache.org/news.html#CVE-2020-13936 

II. Severity

Severity: moderate

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Velocity 2.2 and earlier

Secure versions:

Apache Velocity 2.3 and later

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

https://velocity.apache.org/download.cgi

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.