CVE-2024-22533 – com.ibeetl:beetl-core

Package

Manager: maven
Name: com.ibeetl:beetl-core
Vulnerable Version: >=0 <3.15.13.release

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00505 pctl0.65223

Details

Beetl Server-Side Template Injection vulnerability Before Beetl v3.15.13.RELEASE, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.

Metadata

Created: 2024-02-02T03:30:32Z
Modified: 2024-02-12T15:35:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-9gh8-877r-g477/GHSA-9gh8-877r-g477.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-9gh8-877r-g477
Finding: F422
Auto approve: 1