Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oajhtLTlmaGYtdjdqcM4AA0D-

fief-server Server-Side Template Injection vulnerability

Server-Side Template Injection

Overview of the Vulnerability

Server-Side Template Injection (SSTI) is a vulnerability within application templating engines where user input is improperly handled and is embedded into the template, possibly leading code being executed.

An attacker can use SSTI to execute code on the underlying system by manipulating values within the embedded template. When code is executed within the underlying system, it can allow an attacker to run permissioned commands under the exploited process, or exploit Cross-Site Scripting (XSS) to run code within the user's browser.

Business Impact

SSTI can lead to reputational damage for the business due to a loss in confidence and trust by users. If an attacker successfully executes code within the underlying system, it can result in data theft and indirect financial losses.

Steps to Reproduce

  1. Sign up and login to your account
  2. Use a browser to navigate to: email-templates {{URL}}
  3. put your payload in Edit Base template {{ cycler.__init__.__globals__.os.popen('id').read() }} and you will se it will execute.

Payload:
{{ cycler.__init__.__globals__.os.popen('id').read() }}

Proof of Concept (PoC)

The screenshot(s) below demonstrates the SSTI:

SSTI

Permalink: https://github.com/advisories/GHSA-hj8m-9fhf-v7jp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oajhtLTlmaGYtdjdqcM4AA0D-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 10.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-hj8m-9fhf-v7jp
References: Repository: https://github.com/fief-dev/fief
Blast Radius: 0.0

Affected Packages

pypi:fief-server
Dependent packages: 0
Dependent repositories: 1
Downloads: 3,840 last month
Affected Version Ranges: >= 0.19.0, < 0.25.3
Fixed in: 0.25.3
All affected versions: 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 0.24.7, 0.24.8, 0.24.9, 0.25.0, 0.25.1, 0.25.2
All unaffected versions: 0.0.4, 0.0.5, 0.0.7, 0.0.9, 0.0.11, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.7, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.12.13, 0.12.14, 0.12.15, 0.12.16, 0.12.17, 0.12.18, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.15.1, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.16.6, 0.16.7, 0.16.8, 0.16.9, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.18.0, 0.25.3, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.27.0, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.28.4, 0.28.5, 0.28.6, 0.28.7, 0.28.8, 0.28.9, 0.29.0, 0.29.1, 0.29.2