Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Velocity to avoid CVE-2020-13936 #15

Closed
jimbethancourt opened this issue Jul 5, 2021 · 1 comment
Closed

Remove Velocity to avoid CVE-2020-13936 #15

jimbethancourt opened this issue Jul 5, 2021 · 1 comment

Comments

@jimbethancourt
Copy link
Collaborator

All versions of velocity older than version 2.3 have been found to be vulnerable to remote code execution attacks, as captured in CVE-2020-13936 and has a CVSS score of 8.8 (high). Although this plugin does not permit template uploads, all corporate Maven import tools will still identify and flag this plugin as a vulnerable library since it transitively depends on Velocity 1.7.

The only option at this point is to remove all use of Doxia Site Renderer and generate identical HTML output within the plugin since Doxia Site Renderer relies on Velocity 1.7
jimbethancourt added a commit that referenced this issue Jul 5, 2021
@jimbethancourt
#15 Removing Doxia Site Renderer to address CVE-2020-13936
f992ae4 
Removing Doxia Site Renderer to address CVE-2020-13936.  Plugin code isn't very pretty right now, but it works.
@jimbethancourt
Copy link
Collaborator Author

Fixed in 0.2.0

@jimbethancourt jimbethancourt mentioned this issue Jun 28, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jimbethancourt