Описание
document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection
Impact
A remote code execution (RCE) via server-side template injection (SSTI) allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker considerable control over the container.
Patches
It has been patched in v6.5.2
References
POC
Add the following to a document, upload and render it:
The index might be different, so to debug this first render a template with {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }} and then get the index of subprocess.Popen and replace 202 with that.
Пакеты
document-merge-service
< 6.5.2
6.5.2
Связанные уязвимости
Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.