GHSA-qcj6-jqrg-4wp2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qcj6-jqrg-4wp2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-qcj6-jqrg-4wp2/GHSA-qcj6-jqrg-4wp2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qcj6-jqrg-4wp2
- Aliases
- Published
- 2021-11-10T19:52:33Z
- Modified
- 2024-02-20T05:33:13.432414Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Template injection in thymeleaf-spring5
- Details
-
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
- Database specific
{ "github_reviewed_at": "2021-11-10T18:12:25Z", "github_reviewed": true, "severity": "CRITICAL", "nvd_published_at": "2021-11-09T12:15:00Z", "cwe_ids": [ "CWE-94" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-43466
- https://github.com/thymeleaf/thymeleaf-spring/issues/263#issuecomment-977199524
- https://gitee.com/wayne_wwang/wayne_wwang/blob/master/2021/10/31/ruoyi+thymeleaf-rce/index.html
- https://github.com/thymeleaf/thymeleaf-spring
- https://security.netapp.com/advisory/ntap-20221014-0001
- https://vuldb.com/?id.186365
Affected packages
Maven / org.thymeleaf:thymeleaf-spring5
Package
- Name
- org.thymeleaf:thymeleaf-spring5
- View open source insights on deps.dev
- Purl
- pkg:maven/org.thymeleaf/thymeleaf-spring5
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.0.13.RELEASE