9
CVE-2020-13936
- EPSS 10.88%
- Published 10.03.2021 08:15:14
- Last modified 21.11.2024 05:02:11
- Source security@apache.org
- Teams watchlist Login
- Open Login
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Data is provided by the National Vulnerability Database (NVD)
Apache ≫ Velocity Engine Version < 2.3
Debian ≫ Debian Linux Version9.0
Oracle ≫ Banking Deposits And Lines Of Credit Servicing Version2.12.0
Oracle ≫ Banking Enterprise Default Management Version >= 2.3.0 <= 2.4.1
Oracle ≫ Banking Enterprise Default Management Version2.6.2
Oracle ≫ Banking Enterprise Default Management Version2.7.1
Oracle ≫ Banking Enterprise Default Management Version2.10.0
Oracle ≫ Banking Enterprise Default Management Version2.12.0
Oracle ≫ Banking Loans Servicing Version2.12.0
Oracle ≫ Banking Party Management Version2.7.0
Oracle ≫ Banking Platform Version >= 2.3.0 <= 2.4.1
Oracle ≫ Banking Platform Version2.6.2
Oracle ≫ Banking Platform Version2.7.1
Oracle ≫ Communications Cloud Native Core Policy Version1.14.0
Oracle ≫ Communications Network Integrity Version7.3.6
Oracle ≫ Hospitality Token Proxy Service Version19.2
Oracle ≫ Retail Integration Bus Version19.0.1
Oracle ≫ Retail Order Broker Version16.0
Oracle ≫ Retail Service Backbone Version19.0.1
Oracle ≫ Retail Xstore Office Cloud Service Version16.0.6
Oracle ≫ Retail Xstore Office Cloud Service Version17.0.4
Oracle ≫ Retail Xstore Office Cloud Service Version18.0.3
Oracle ≫ Retail Xstore Office Cloud Service Version19.0.2
Oracle ≫ Retail Xstore Office Cloud Service Version20.0.1
Oracle ≫ Utilities Testing Accelerator Version6.0.0.1.1
Oracle ≫ Utilities Testing Accelerator Version6.0.0.2.2
Oracle ≫ Utilities Testing Accelerator Version6.0.0.3.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 10.88% | 0.931 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|