CVE-2020-13936

Name	CVE-2020-13936
Description	An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2595-1
Debian Bugs	985220

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
velocity (PTS)	bookworm, bullseye	1.7-6	fixed
	sid, trixie	1.7-7	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
velocity	source	stretch	1.7-5+deb9u1	DLA-2595-1
velocity	source	buster	1.7-5+deb10u1
velocity	source	(unstable)	1.7-6		985220

Notes

https://www.openwall.com/lists/oss-security/2021/03/10/1
Fixed by: https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485