GHSA-9gh8-877r-g477

Suggest an improvement
Source
https://github.com/advisories/GHSA-9gh8-877r-g477
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-9gh8-877r-g477/GHSA-9gh8-877r-g477.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9gh8-877r-g477
Aliases
  • CVE-2024-22533
Published
2024-02-02T03:30:32Z
Modified
2024-02-16T08:19:32.704932Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Beetl Server-Side Template Injection vulnerability
Details

Before Beetl v3.15.13.RELEASE, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.

Database specific 
{
    "nvd_published_at": "2024-02-02T03:15:11Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-02T18:10:29Z"
}
References

Affected packages

Maven / com.ibeetl:beetl-core

Package

Name
com.ibeetl:beetl-core
View open source insights on deps.dev
Purl
pkg:maven/com.ibeetl/beetl-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.15.13.RELEASE

Affected versions

3.*

3.11.0.RELEASE
3.12.0.RELEASE
3.13.0.RELEASE
3.14.1.RELEASE
3.15.0.RELEASE
3.15.1.RELEASE
3.15.2.RELEASE
3.15.3.RELEASE
3.15.4.RELEASE
3.15.5.RELEASE
3.15.6.RELEASE
3.15.7.RELEASE
3.15.8.RELEASE
3.15.10.RELEASE
3.15.12.RELEASE