{"id":"MGASA-2021-0183","summary":"Updated velocity packages fix security vulnerability","details":"An attacker that is able to modify Velocity templates may execute arbitrary\nJava code or run arbitrary system commands with the same privileges as the\naccount running the Servlet container.  This applies to applications that allow\nuntrusted users to upload/modify velocity templates running Apache Velocity\nEngine versions up to 2.2 (CVE-2020-13936).\n","modified":"2026-02-01T21:07:35.402953Z","published":"2021-04-12T19:59:59Z","related":["CVE-2020-13936"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0183.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28681"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2021/03/10/1"}],"affected":[{"package":{"name":"velocity","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/velocity?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7-22.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0183.json"}},{"package":{"name":"velocity","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/velocity?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7-33.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0183.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}