CVE-2023-38286 – de.codecentric:spring-boot-admin-server

Package

Manager: maven
Name: de.codecentric:spring-boot-admin-server
Vulnerable Version: >=3.0.0 <3.1.2 || >=0 <2.7.16

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00114 pctl0.3064

Details

Spring-boot-admin sandbox bypass via crafted HTML Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI. Spring Boot Admin 3.1.2 and 2.7.16 contain mitigations for the issue. This bypass is achived via a library called Thymeleaf which has added counter measures for this sort of bypass in version `3.1.2.RELEASE` which has explicity forbidden static access to `org.springframework.util` in expressions. Thymeleaf itself should not be considered vulnerable.

Metadata

Created: 2023-07-14T06:31:00Z
Modified: 2024-06-12T22:40:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-7gj7-224w-vpr3/GHSA-7gj7-224w-vpr3.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-7gj7-224w-vpr3
Finding: F422
Auto approve: 1