Bug 1937445 (CVE-2020-13959) - CVE-2020-13959 velocity: XSS in the default error page for VelocityView
Summary: CVE-2020-13959 velocity: XSS in the default error page for VelocityView
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-13959
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1937446 1937447
Blocks: 1937449
TreeView+ depends on / blocked
 
Reported: 2021-03-10 16:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-04-28 10:33 UTC (History)
92 users (show)

Fixed In Version: velocity-tools 3.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-13 12:38:57 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-03-10 16:46:38 UTC
The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

References:
https://lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E
http://www.openwall.com/lists/oss-security/2021/03/10/2

Comment 1 Guilherme de Almeida Suckevicz 2021-03-10 16:47:18 UTC
Created eclipse tracking bugs for this issue:

Affects: fedora-all [bug 1937446]


Created velocity tracking bugs for this issue:

Affects: fedora-all [bug 1937447]

Comment 4 Mark Cooper 2021-03-11 05:00:27 UTC
Both hive-container and logging-elasticsearch6-container don't have any references to velocity-tools. I also checked the included velocity.jar and it doesn't include the affected classes. 

I think the only product here to be affected will be fuse based on our manifests?

Comment 7 Todd Cullum 2021-03-16 21:51:51 UTC
Flaw summary:

Apache velocity-tools' VelocityView, has an error page which appears when a user attempts to access a non-existent file on the server. It reflects the filename of the page requested on the error page without first sanitizing the text. This could allow a malicious actor to execute JavaScript on the page in a reflected cross-site scripting attack. The (one liner) patch applied upstream in velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java uses the StringEscapeUtils.escapeHtml4() method to first sanitize the input and prevent such an attack.

Comment 8 Todd Cullum 2021-03-16 22:23:04 UTC
Statement:

velocity as shipped in Red Hat Enterprise Linux 6, 7, and 8, as well as CodeReady Studio 12, is not affected by this flaw as the affected velocity-tools code is not present in shipped products. This includes those shipped in javapackages-tools and pki-deps as well.

Comment 11 Product Security DevOps Team 2021-04-13 12:38:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13959


Note You need to log in before you can comment on or make changes to this bug.