Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.
References
Link | Resource |
---|---|
https://gitee.com/xiandafu/beetl/issues/I8RU01 | Exploit Issue Tracking Vendor Advisory |
https://gitee.com/xiandafu/beetl/issues/I8RU01 | Exploit Issue Tracking Vendor Advisory |
Configurations
History
21 Nov 2024, 08:56
Type | Values Removed | Values Added |
---|---|---|
References | () https://gitee.com/xiandafu/beetl/issues/I8RU01 - Exploit, Issue Tracking, Vendor Advisory |
10 Feb 2024, 04:09
Type | Values Removed | Values Added |
---|---|---|
References | () https://gitee.com/xiandafu/beetl/issues/I8RU01 - Exploit, Issue Tracking, Vendor Advisory | |
CWE | CWE-94 | |
First Time |
Xiandafu beetl
Xiandafu |
|
CPE | cpe:2.3:a:xiandafu:beetl:3.15.12:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
02 Feb 2024, 04:58
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-02 03:15
Updated : 2024-11-21 08:56
NVD link : CVE-2024-22533
Mitre link : CVE-2024-22533
CVE.ORG link : CVE-2024-22533
JSON object : View
Products Affected
xiandafu
- beetl
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')