SUSE update for Recommended update for Maven
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-13936 |
| CWE-ID | CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise High Performance Computing LTSS 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing ESPOS 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP5 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP3 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 SP4 Operating systems & Components / Operating system Development Tools Module Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system maven-surefire-plugin Operating systems & Components / Operating system package or component maven-invoker Operating systems & Components / Operating system package or component maven-doxia-module-xhtml5 Operating systems & Components / Operating system package or component maven-javadoc-plugin-javadoc Operating systems & Components / Operating system package or component maven-surefire-provider-testng Operating systems & Components / Operating system package or component maven-script-ant Operating systems & Components / Operating system package or component maven-reporting-api-javadoc Operating systems & Components / Operating system package or component maven-failsafe-plugin Operating systems & Components / Operating system package or component maven-plugin-tools-javadoc Operating systems & Components / Operating system package or component maven-doxia-sitetools-javadoc Operating systems & Components / Operating system package or component maven-surefire-plugins-javadoc Operating systems & Components / Operating system package or component maven-javadoc-plugin-bootstrap Operating systems & Components / Operating system package or component maven-dependency-plugin-javadoc Operating systems & Components / Operating system package or component maven-surefire-report-plugin Operating systems & Components / Operating system package or component maven-plugin-plugin-javadoc Operating systems & Components / Operating system package or component maven-plugin-tools-api Operating systems & Components / Operating system package or component maven-dependency-analyzer Operating systems & Components / Operating system package or component maven-plugin-tools-java Operating systems & Components / Operating system package or component maven-doxia-module-fml Operating systems & Components / Operating system package or component maven-doxia-sink-api Operating systems & Components / Operating system package or component maven-invoker-javadoc Operating systems & Components / Operating system package or component maven-surefire Operating systems & Components / Operating system package or component maven-dependency-plugin Operating systems & Components / Operating system package or component maven-surefire-provider-junit5-javadoc Operating systems & Components / Operating system package or component maven-surefire-plugin-bootstrap Operating systems & Components / Operating system package or component maven-script-beanshell Operating systems & Components / Operating system package or component maven-doxia-test-docs Operating systems & Components / Operating system package or component maven-doxia-core Operating systems & Components / Operating system package or component maven-doxia-sitetools Operating systems & Components / Operating system package or component maven-plugin-plugin Operating systems & Components / Operating system package or component maven-surefire-report-plugin-bootstrap Operating systems & Components / Operating system package or component plexus-velocity-javadoc Operating systems & Components / Operating system package or component maven-reporting-api Operating systems & Components / Operating system package or component maven-doxia-javadoc Operating systems & Components / Operating system package or component maven-plugin-plugin-bootstrap Operating systems & Components / Operating system package or component maven-doxia-module-xdoc Operating systems & Components / Operating system package or component maven-dependency-analyzer-javadoc Operating systems & Components / Operating system package or component maven-javadoc-plugin Operating systems & Components / Operating system package or component maven-surefire-provider-junit Operating systems & Components / Operating system package or component maven-plugin-tools-annotations Operating systems & Components / Operating system package or component velocity-engine-core Operating systems & Components / Operating system package or component maven-reporting-impl-javadoc Operating systems & Components / Operating system package or component maven-invoker-plugin-javadoc Operating systems & Components / Operating system package or component maven-plugin-tools-model Operating systems & Components / Operating system package or component velocity-engine-core-javadoc Operating systems & Components / Operating system package or component maven-plugin-tools-beanshell Operating systems & Components / Operating system package or component maven-surefire-report-parser Operating systems & Components / Operating system package or component maven-plugin-tools-generators Operating systems & Components / Operating system package or component maven-failsafe-plugin-bootstrap Operating systems & Components / Operating system package or component maven-reporting-impl Operating systems & Components / Operating system package or component maven-parent Operating systems & Components / Operating system package or component maven-surefire-provider-junit5 Operating systems & Components / Operating system package or component plexus-velocity Operating systems & Components / Operating system package or component maven-plugin-annotations Operating systems & Components / Operating system package or component maven-surefire-javadoc Operating systems & Components / Operating system package or component maven-plugin-tools-ant Operating systems & Components / Operating system package or component maven-invoker-plugin Operating systems & Components / Operating system package or component maven-doxia-module-apt Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Code Injection
EUVDB-ID: #VU51511
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-13936
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker with ability to modify Velocity templates can inject and execute arbitrary Java code on the system with the same privileges as the account running the Servlet container.
Update the affected package Recommended update for Maven to the latest version.
Vulnerable software versionsSUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP5: LTSS
SUSE Linux Enterprise Server 15 SP3: LTSS
SUSE Linux Enterprise Server 15 SP4: LTSS
Development Tools Module: 15-SP6
SUSE Linux Enterprise Real Time 15: SP6
openSUSE Leap: 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP6
SUSE Linux Enterprise Server 15: SP3 - SP6
SUSE Linux Enterprise Desktop 15: SP6
SUSE Linux Enterprise High Performance Computing 15: SP3 - SP5
SUSE Enterprise Storage: 7.1
maven-surefire-plugin: before 3.5.2-150200.3.9.20.2
maven-invoker: before 3.3.0-150200.3.7.5
maven-doxia-module-xhtml5: before 2.0.0-150200.4.18.11
maven-javadoc-plugin-javadoc: before 3.11.1-150200.4.21.2
maven-surefire-provider-testng: before 3.5.2-150200.3.9.20.12
maven-script-ant: before 3.15.1-150200.3.15.12
maven-reporting-api-javadoc: before 4.0.0-150200.3.10.12
maven-failsafe-plugin: before 3.5.2-150200.3.9.20.2
maven-plugin-tools-javadoc: before 3.15.1-150200.3.15.12
maven-doxia-sitetools-javadoc: before 2.0.0-150200.3.18.3
maven-surefire-plugins-javadoc: before 3.5.2-150200.3.9.20.2
maven-javadoc-plugin-bootstrap: before 3.11.1-150200.4.21.2
maven-dependency-plugin-javadoc: before 3.8.1-150200.3.10.2
maven-surefire-report-plugin: before 3.5.2-150200.3.9.20.2
maven-plugin-plugin-javadoc: before 3.15.1-150200.3.15.2
maven-plugin-tools-api: before 3.15.1-150200.3.15.12
maven-dependency-analyzer: before 1.15.1-150200.3.10.3
maven-plugin-tools-java: before 3.15.1-150200.3.15.12
maven-doxia-module-fml: before 2.0.0-150200.4.18.11
maven-doxia-sink-api: before 2.0.0-150200.4.18.11
maven-invoker-javadoc: before 3.3.0-150200.3.7.5
maven-surefire: before 3.5.2-150200.3.9.20.12
maven-dependency-plugin: before 3.8.1-150200.3.10.2
maven-surefire-provider-junit5-javadoc: before 3.5.2-150200.3.9.20.2
maven-surefire-plugin-bootstrap: before 3.5.2-150200.3.9.20.12
maven-script-beanshell: before 3.15.1-150200.3.15.12
maven-doxia-test-docs: before 2.0.0-150200.4.18.11
maven-doxia-core: before 2.0.0-150200.4.18.11
maven-doxia-sitetools: before 2.0.0-150200.3.18.3
maven-plugin-plugin: before 3.15.1-150200.3.15.2
maven-surefire-report-plugin-bootstrap: before 3.5.2-150200.3.9.20.12
plexus-velocity-javadoc: before 2.1.0-150200.3.10.3
maven-reporting-api: before 4.0.0-150200.3.10.12
maven-doxia-javadoc: before 2.0.0-150200.4.18.11
maven-plugin-plugin-bootstrap: before 3.15.1-150200.3.15.2
maven-doxia-module-xdoc: before 2.0.0-150200.4.18.11
maven-dependency-analyzer-javadoc: before 1.15.1-150200.3.10.3
maven-javadoc-plugin: before 3.11.1-150200.4.21.2
maven-surefire-provider-junit: before 3.5.2-150200.3.9.20.12
maven-plugin-tools-annotations: before 3.15.1-150200.3.15.12
velocity-engine-core: before 2.4-150200.5.3.3
maven-reporting-impl-javadoc: before 4.0.0-150200.4.9.12
maven-invoker-plugin-javadoc: before 3.8.1-150200.3.6.2
maven-plugin-tools-model: before 3.15.1-150200.3.15.12
velocity-engine-core-javadoc: before 2.4-150200.5.3.3
maven-plugin-tools-beanshell: before 3.15.1-150200.3.15.12
maven-surefire-report-parser: before 3.5.2-150200.3.9.20.12
maven-plugin-tools-generators: before 3.15.1-150200.3.15.12
maven-failsafe-plugin-bootstrap: before 3.5.2-150200.3.9.20.12
maven-reporting-impl: before 4.0.0-150200.4.9.12
maven-parent: before 43-150200.3.8.2
maven-surefire-provider-junit5: before 3.5.2-150200.3.9.20.2
plexus-velocity: before 2.1.0-150200.3.10.3
maven-plugin-annotations: before 3.15.1-150200.3.15.12
maven-surefire-javadoc: before 3.5.2-150200.3.9.20.12
maven-plugin-tools-ant: before 3.15.1-150200.3.15.12
maven-invoker-plugin: before 3.8.1-150200.3.6.2
maven-doxia-module-apt: before 2.0.0-150200.4.18.11
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_ltss_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_espos_15:SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_espos_15:SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp5:LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp3:LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15_sp4:LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:development_tools_module:15-SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_enterprise_storage:7.1:*:*:*:*:*:*:*
- cpe:2.3:o:suse:maven-surefire-plugin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-invoker:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-module-xhtml5:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-javadoc-plugin-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-provider-testng:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-script-ant:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-reporting-api-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-failsafe-plugin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-tools-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-sitetools-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-plugins-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-javadoc-plugin-bootstrap:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-dependency-plugin-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-report-plugin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-plugin-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-tools-api:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-dependency-analyzer:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-tools-java:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-module-fml:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-sink-api:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-invoker-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-dependency-plugin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-provider-junit5-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-plugin-bootstrap:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-script-beanshell:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-test-docs:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-core:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-sitetools:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-plugin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-report-plugin-bootstrap:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:plexus-velocity-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-reporting-api:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-plugin-bootstrap:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-module-xdoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-dependency-analyzer-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-javadoc-plugin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-provider-junit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-tools-annotations:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:velocity-engine-core:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-reporting-impl-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-invoker-plugin-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-tools-model:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:velocity-engine-core-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-tools-beanshell:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-report-parser:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-tools-generators:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-failsafe-plugin-bootstrap:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-reporting-impl:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-parent:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-provider-junit5:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:plexus-velocity:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-annotations:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-surefire-javadoc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-plugin-tools-ant:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-invoker-plugin:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:maven-doxia-module-apt:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2025/suse-su-20250719-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
