CVE-2020-13936 Sandbox Bypass in Apache Velocity Engine (#38)

vharseko · web-flow · commit 35d4ad7e9638 · 2024-06-24T13:08:35.000+03:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -68,14 +68,14 @@ jobs:
           fail_on_unmatched_files: false
           generate_release_notes: true
           files: |
-            OpenICF-java-framework/openicf-zip/target/*.zip
-            OpenICF-csvfile-connector/target/*.jar
-            OpenICF-databasetable-connector/target/*.jar
-            OpenICF-groovy-connector/target/*.jar
-            OpenICF-kerberos-connector/target/*.jar
-            OpenICF-ldap-connector/target/*.jar
-            OpenICF-ssh-connector/target/*.jar
-            OpenICF-xml-connector/target/*.jar
+            OpenICF-java-framework/openicf-zip/target/*${{ github.event.inputs.releaseVersion }}.zip
+            OpenICF-csvfile-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-databasetable-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-groovy-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-kerberos-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-ldap-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-ssh-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
+            OpenICF-xml-connector/target/*${{ github.event.inputs.releaseVersion }}.jar
   release-docker:
     name: Docker release
     runs-on: 'ubuntu-latest'
diff --git a/OpenICF-maven-plugin/pom.xml b/OpenICF-maven-plugin/pom.xml
@@ -158,31 +158,11 @@
         <dependency>
             <groupId>org.codehaus.plexus</groupId>
             <artifactId>plexus-velocity</artifactId>
-            <version>1.1.8</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.codehaus.plexus</groupId>
-                    <artifactId>plexus-container-default</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.codehaus.plexus</groupId>
-                    <artifactId>plexus-component-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>velocity</groupId>
-                    <artifactId>velocity</artifactId>
-                </exclusion>
-            </exclusions>
+            <version>1.2</version>
         </dependency>
 
 
         <!-- other -->
-        <dependency>
-            <groupId>org.apache.velocity</groupId>
-            <artifactId>velocity</artifactId>
-            <version>1.7</version>
-        </dependency>
-
         <dependency>
             <groupId>org.apache.maven.reporting</groupId>
             <artifactId>maven-reporting-exec</artifactId>
