Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05Z2g4LTg3N3ItZzQ3N84AA5Ap
Beetl Server-Side Template Injection vulnerability
Before Beetl v3.15.13.RELEASE, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.
Permalink: https://github.com/advisories/GHSA-9gh8-877r-g477JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Z2g4LTg3N3ItZzQ3N84AA5Ap
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-9gh8-877r-g477, CVE-2024-22533
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-22533
- https://gitee.com/xiandafu/beetl/issues/I8RU01
- https://github.com/advisories/GHSA-9gh8-877r-g477
Affected Packages
maven:com.ibeetl:beetl-core
Dependent packages: 4Dependent repositories: 1
Downloads:
Affected Version Ranges: < 3.15.13.RELEASE
Fixed in: 3.15.13.RELEASE
All affected versions: 3.15.1-0.RELEASE, 3.15.1-2.RELEASE
All unaffected versions: