GHSA-9gh8-877r-g477

Опубликовано: 02 фев. 2024

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Beetl Server-Side Template Injection vulnerability

Before Beetl v3.15.13.RELEASE, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.

Ссылки

Пакеты

Наименование

com.ibeetl:beetl-core

maven

Затронутые версииВерсия исправления

< 3.15.13.RELEASE

3.15.13.RELEASE

EPSS

Процентиль: 70%

0.00659

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2024-22533

Дефекты

CWE-94

Связанные уязвимости

CVE-2024-22533

CVSS3: 9.8

nvd

около 2 лет назад

Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.

EPSS

Процентиль: 70%

0.00659

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2024-22533

Дефекты

CWE-94