An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache velocity engine |
||
apache wss4j 2.3.1 |
||
debian debian linux 9.0 |
||
oracle retail order broker 16.0 |
||
oracle banking platform 2.6.2 |
||
oracle banking platform 2.7.1 |
||
oracle communications network integrity 7.3.6 |
||
oracle banking enterprise default management 2.12.0 |
||
oracle banking enterprise default management 2.10.0 |
||
oracle banking party management 2.7.0 |
||
oracle utilities testing accelerator 6.0.0.2.2 |
||
oracle utilities testing accelerator 6.0.0.3.1 |
||
oracle utilities testing accelerator 6.0.0.1.1 |
||
oracle communications cloud native core policy 1.14.0 |
||
oracle banking platform |
||
oracle banking loans servicing 2.12.0 |
||
oracle retail service backbone 19.0.1 |
||
oracle retail integration bus 19.0.1 |
||
oracle banking enterprise default management 2.7.1 |
||
oracle banking enterprise default management 2.6.2 |
||
oracle banking enterprise default management |
||
oracle banking deposits and lines of credit servicing 2.12.0 |
||
oracle retail xstore office cloud service 17.0.4 |
||
oracle retail xstore office cloud service 18.0.3 |
||
oracle retail xstore office cloud service 19.0.2 |
||
oracle retail xstore office cloud service 20.0.1 |
||
oracle retail xstore office cloud service 16.0.6 |
||
oracle hospitality token proxy service 19.2 |