CVE-2022-24881

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-24881

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24881.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-24881

Aliases

GHSA-fv3m-xhqw-9m79

Published

2022-04-26T16:15:47Z

Modified

2024-05-13T21:23:24Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.

References

Affected packages

Git / github.com/ballcat-projects/ballcat-codegen

Affected ranges

Type: GIT
Repo: https://github.com/ballcat-projects/ballcat-codegen
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

84a7cb38daf0295b93aba21d562ec627e4eb463b