GHSA-qcj6-jqrg-4wp2

Suggest an improvement
Source
https://github.com/advisories/GHSA-qcj6-jqrg-4wp2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-qcj6-jqrg-4wp2/GHSA-qcj6-jqrg-4wp2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qcj6-jqrg-4wp2
Aliases
Published
2021-11-10T19:52:33Z
Modified
2024-02-20T05:33:13.432414Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Template injection in thymeleaf-spring5
Details

In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.

Database specific 
{
    "nvd_published_at": "2021-11-09T12:15:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-10T18:12:25Z"
}
References

Affected packages

Maven / org.thymeleaf:thymeleaf-spring5

Package

Name
org.thymeleaf:thymeleaf-spring5
View open source insights on deps.dev
Purl
pkg:maven/org.thymeleaf/thymeleaf-spring5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.13.RELEASE

Affected versions

3.*

3.0.3.M1
3.0.4.M2
3.0.5.M3
3.0.6.M4
3.0.7.RC1
3.0.8.RELEASE
3.0.9.RELEASE
3.0.10.RELEASE
3.0.11.RELEASE
3.0.12.RELEASE

Database specific 

{
    "last_known_affected_version_range": "<= 3.0.12.RELEASE"
}