roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <>
Subject CVE-2015-0249: Apache Roller allows admin users to execute arbitrary Java code
Date Tue, 24 Mar 2015 23:22:04 GMT
Severity: Important

   The Apache Software Foundation

Versions Affected:
   Roller 5.1.1
   Roller 5.1
   The unsupported pre-Roller 5.1 versions may also be affected


   A Roller user with Admin-level access to a weblog can edit a weblog
   page template and use special Velocity syntax to execute Java code on
   the server.


   There are several ways you can fix this vulnerability:

   1) Upgrade to the latest version of Roller, which is now 5.1.2.

   2) Or, add the following line to Roller's file:


   3) Or, disable template editing on your Roller system by un-checking
      the Allow Custom Themes setting in the Server Admin -> Configuration
      Theme Settings section.


   This issue was discovered by Gregory Draperi.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message