CVE-2025-1686

Опубликовано: 27 фев. 2025

Источник: redhat

CVSS3: 6.8

Описание

All versions of the package io.pebbletemplates:pebble are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();

A flaw was found in Pebble Templates. This vulnerability allows high-privileged attackers to access sensitive local files via the include tag, enabling arbitrary file inclusion.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat build of Apache Camel for Spring Boot 4	pebble	Will not fix
Red Hat JBoss Enterprise Application Platform 7	pebble	Not affected
Red Hat JBoss Enterprise Application Platform 8	pebble	Not affected
Red Hat JBoss Enterprise Application Platform Expansion Pack	pebble	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-73

https://bugzilla.redhat.com/show_bug.cgi?id=2348665io.pebbletemplates:pebble: Path Traversal Vulnerability in Pebble Templates

6.8 Medium

CVSS3

Связанные уязвимости

CVE-2025-1686

CVSS3: 6.8

nvd

10 месяцев назад

GHSA-p75g-cxfj-7wrx

CVSS3: 6.8

github

10 месяцев назад

Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro

6.8 Medium

CVSS3