Описание
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
A flaw was found in Spring Framework. When Java scripting engine enabled template views (such as those using JRuby or Jython) are used in Spring MVC and Spring WebFlux applications, a remote attacker can exploit this to disclose sensitive content from files located outside the intended script template view directories. This information disclosure can expose confidential data.
Меры по смягчению последствий
To mitigate this issue, avoid using Java scripting engine enabled template views (e.g., JRuby, Jython) in Spring MVC and Spring WebFlux applications. If these engines are not essential for application functionality, disable or remove their integration to prevent unauthorized file disclosure. Review application configurations to ensure that template view directories are strictly controlled and that no external scripting engines are inadvertently enabled.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AMQ Broker 7 | spring-webmvc | Fix deferred | ||
| Red Hat build of Apache Camel for Spring Boot 4 | spring-webmvc | Fix deferred | ||
| Red Hat build of Apache Camel - HawtIO 4 | spring-webflux | Fix deferred | ||
| Red Hat build of Apache Camel - HawtIO 4 | spring-webmvc | Fix deferred | ||
| Red Hat build of OptaPlanner 8 | spring-webmvc | Fix deferred | ||
| Red Hat Data Grid 8 | spring-webmvc | Fix deferred | ||
| Red Hat Enterprise Linux 8 | log4j:2/log4j | Fix deferred | ||
| Red Hat Enterprise Linux 8 | pki-core:10.6/resteasy | Fix deferred | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/resteasy | Fix deferred | ||
| Red Hat Enterprise Linux 9 | log4j | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Use of Java scripting engine enabled (e.g. JRuby, Jython) template vie ...
Spring Framework Improper Path Limitation with Script View Templates
EPSS
6.5 Medium
CVSS3