velocity-custom-parser-example-2.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11678 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z velocity-custom-parser-example-2.2-1.1 on GA media These are all security issues fixed in the velocity-custom-parser-example-2.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11678 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11678 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-13936/ SUSE CVE CVE-2020-13936 page openSUSE Tumbleweed velocity-custom-parser-example-2.2-1.1 velocity-engine-core-2.2-1.1 velocity-engine-examples-2.2-1.1 velocity-engine-javadoc-2.2-1.1 velocity-engine-parent-2.2-1.1 velocity-engine-scripting-2.2-1.1 velocity-custom-parser-example-2.2-1.1 as a component of openSUSE Tumbleweed velocity-engine-core-2.2-1.1 as a component of openSUSE Tumbleweed velocity-engine-examples-2.2-1.1 as a component of openSUSE Tumbleweed velocity-engine-javadoc-2.2-1.1 as a component of openSUSE Tumbleweed velocity-engine-parent-2.2-1.1 as a component of openSUSE Tumbleweed velocity-engine-scripting-2.2-1.1 as a component of openSUSE Tumbleweed An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. CVE-2020-13936 openSUSE Tumbleweed:velocity-custom-parser-example-2.2-1.1 openSUSE Tumbleweed:velocity-engine-core-2.2-1.1 openSUSE Tumbleweed:velocity-engine-examples-2.2-1.1 openSUSE Tumbleweed:velocity-engine-javadoc-2.2-1.1 openSUSE Tumbleweed:velocity-engine-parent-2.2-1.1 openSUSE Tumbleweed:velocity-engine-scripting-2.2-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-13936.html CVE-2020-13936 https://bugzilla.suse.com/1183360 SUSE Bug 1183360