[6.1.2] vulnerable dependency org.apache.velocity:velocity-engine-core@2.2 with CVE-2020-13936 #3205

albuch · 2021-03-19T20:36:35Z

Describe the bug
dependency-check-core v6.1.2 contains a vulnerable dependency org.apache.velocity:velocity-engine-core@2.2 with CVE-2020-13936

Version of dependency-check used
dependency-check-core:6.1.2

The text was updated successfully, but these errors were encountered:

albuch · 2021-03-19T20:39:27Z

I see this is already updated in the current snapshot via #3181, however I'm not sure if this warrants a rather quick release? What's your take on this @jeremylong?

jeremylong · 2021-03-21T13:04:05Z

From the CVE "An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container.'... I'm just not sure the attack path is there for 99.9% of the use cases for ODC...

However, I also know the zero tolerance some have for known vulnerable libraries... So I suppose we should release 6.1.3.

albuch added the bug label Mar 19, 2021

jeremylong added this to the 6.1.3 milestone Mar 22, 2021

jeremylong closed this as completed Mar 22, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[6.1.2] vulnerable dependency org.apache.velocity:velocity-engine-core@2.2 with CVE-2020-13936 #3205

[6.1.2] vulnerable dependency org.apache.velocity:velocity-engine-core@2.2 with CVE-2020-13936 #3205

albuch commented Mar 19, 2021 •

edited

albuch commented Mar 19, 2021 •

edited

jeremylong commented Mar 21, 2021

[6.1.2] vulnerable dependency org.apache.velocity:velocity-engine-core@2.2 with CVE-2020-13936 #3205

[6.1.2] vulnerable dependency org.apache.velocity:velocity-engine-core@2.2 with CVE-2020-13936 #3205

Comments

albuch commented Mar 19, 2021 • edited

albuch commented Mar 19, 2021 • edited

jeremylong commented Mar 21, 2021

albuch commented Mar 19, 2021 •

edited

albuch commented Mar 19, 2021 •

edited