jasonparallel
commented
3 years ago It is also vulnerable to CVE-2021-29425 via the shaded copy of common-io
Closed derek-gfs closed 3 years ago
jasonparallel
commented
3 years ago It is also vulnerable to CVE-2021-29425 via the shaded copy of common-io
jzheaux
commented
3 years ago @jasonparallel, that sounds like a different vulnerability. If so, would you please file a separate ticket?
jzheaux
commented
3 years ago Thanks for the report, @derek-gfs. Since Spring Security SAML Extensions is in maintenance mode, I'd like to stick with only necessary changes.
Spring Security SAML Extensions doesn't grant template modification abilities to the client, and so I believe the best mitigation is to have applications update their Apache Velocity dependency.
Apache Velocity is vulnerable to Code Injection. The checkObjectExecutePermission method in SecureIntrospectorImpl.class fails to deny access to java.lang.ClassLoader methods. An attacker with template modification abilities can exploit this to execute arbitrary code using a maliciously crafted template when Velocity templates are used in the context of a VelocityView.
https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity/