The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks. References: https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E http://www.openwall.com/lists/oss-security/2021/03/10/2
Created eclipse tracking bugs for this issue: Affects: fedora-all [bug 1937446] Created velocity tracking bugs for this issue: Affects: fedora-all [bug 1937447]
Upstream fix https://github.com/apache/velocity-tools/commit/e141828a4eb03e4b0224535eed12b5c463a24152 (i believe)
Both hive-container and logging-elasticsearch6-container don't have any references to velocity-tools. I also checked the included velocity.jar and it doesn't include the affected classes. I think the only product here to be affected will be fuse based on our manifests?
Flaw summary: Apache velocity-tools' VelocityView, has an error page which appears when a user attempts to access a non-existent file on the server. It reflects the filename of the page requested on the error page without first sanitizing the text. This could allow a malicious actor to execute JavaScript on the page in a reflected cross-site scripting attack. The (one liner) patch applied upstream in velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java uses the StringEscapeUtils.escapeHtml4() method to first sanitize the input and prevent such an attack.
Statement: velocity as shipped in Red Hat Enterprise Linux 6, 7, and 8, as well as CodeReady Studio 12, is not affected by this flaw as the affected velocity-tools code is not present in shipped products. This includes those shipped in javapackages-tools and pki-deps as well.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13959