CVE-2020-13936

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache Velocity Engine versions up to 2.2 Bitbucket Data Center and Server versions 7.21.0 through 7.21.7

Description An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates. The issue is related to incorrect management of code generation in the Java velocity template mechanism, which can allow a remote attacker to access confidential data, disrupt its integrity, and cause a denial of service.

Recommendations For Apache Velocity Engine versions up to 2.2, consider disabling the ability for untrusted users to upload or modify Velocity templates until a patch is available. For Bitbucket Data Center and Server versions 7.21.0 through 7.21.7, upgrade to a release greater than or equal to 7.21.8 to resolve the issue.

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-94

Related Identifiers

BDU:2022-00278

CVE-2020-13936

DLA-2595-1

GHSA-59J4-WJWP-MW9M

MGASA-2021-0183

OESA-2021-1157

OPENSUSE-SU-2021:0447-1

OPENSUSE-SU-2021_0447-1

OPENSUSE-SU-2022_3397-1

OPENSUSE-SU-2024:11495-1

OPENSUSE-SU-2024:11678-1

OPENSUSE-SU-2024:12308-1

OPENSUSE-SU-2025_0719-1

RHSA-2021:2046

RHSA-2021:2047

RHSA-2021:2048

RHSA-2021:3656

RHSA-2021:3658

RHSA-2025:1746

RHSA-2025:1747

SUSE-SU-2021:0800-1

SUSE-SU-2021_0800-1

SUSE-SU-2022:3397-1

SUSE-SU-2022:3560-1

SUSE-SU-2022_3397-1

SUSE-SU-2025:0719-1

SUSE-SU-2025_0719-1

USN-6281-1

Affected Products

Apache Velocity Engine

Astra Linux

Bitbucket

Bitbucket Server

Linuxmint

Suse

Ubuntu

CVE-2020-13936

Weakness Enumeration

Related Identifiers

Affected Products

References · 101