CVE-2020-13936: 
Java vulnerability analysis and mitigation

CVE-2020-13936 is a security vulnerability discovered in Apache Velocity Engine versions up to 2.2. The vulnerability was discovered by Alvaro Munoz of Github Security Labs and was publicly disclosed in March 2021. The vulnerability affects applications that allow untrusted users to upload or modify Velocity templates (GitHub Security Lab).

The vulnerability stems from a failure in Velocity's Secure Uberspector to properly inspect the complete class hierarchy of objects where methods are invoked. This allows attackers to bypass the sandbox protection mechanism. Specifically, when methods are called on objects that extend blocked classes or implement blocked interfaces, the invocation is not properly blocked. For example, while java.lang.ClassLoader is present in the Secure Uberspector default BlockList, calls can still be made to classes extending ClassLoader (GitHub Security Lab).

If exploited, an attacker who can modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This is particularly concerning in web applications where users have access to modify template contents (NVD, OSS Security).

The recommended mitigation is to upgrade to Apache Velocity version 2.3 or later, which includes additional default restrictions on what methods and properties can be accessed in templates. This version addresses the sandbox bypass vulnerability by improving the class hierarchy inspection mechanism (OSS Security, Gentoo Security).