Uploaded image for project: 'Velocity'
  1. Velocity
  2. VELOCITY-982

Velocity 2.x - Velocity.properties - Additional introspector.restrict.classes

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.0, 2.1, 2.2, 2.3, 2.4-rc2
    • 2.4
    • Build
    • None

    Description

      In Velocity.properties, the introspector.restrict.classes entries.

      I assume additions to this file in that section resolved for CVE-2020-13936 (templating can interact with the system)?  Please confirm what commits or classes, settings did indeed resolve CVE-2020-13936.  We really need to know because we are stuck on 1.7 and need to fork/patch.

      Along these lines of further security hardening, aren't there more entries needed in the introspect.restrict.classes section such as:

      java.lang.ProcessBuilder

      java.lang.Reflect

      javax.management.MBeanServer

      java.net.Socket

      javax.script.ScriptEngine

       

      Finally, please confirm whether Velocity is largely in CVE patch mode only and is not really an active project given that there is much more talk today about Apache FreeMarker.  Just trying to determine the level of support and engagement from the Apache Velocity maintainers.  

      Attachments

        Activity

          People

            cbrisson Claude Brisson
            bodhione John Tal
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: