CVE-2024-22533

Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.
References
Link Resource
https://gitee.com/xiandafu/beetl/issues/I8RU01 Exploit Issue Tracking Vendor Advisory
https://gitee.com/xiandafu/beetl/issues/I8RU01 Exploit Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:xiandafu:beetl:3.15.12:*:*:*:*:*:*:*

History

21 Nov 2024, 08:56

Type Values Removed Values Added
References () https://gitee.com/xiandafu/beetl/issues/I8RU01 - Exploit, Issue Tracking, Vendor Advisory () https://gitee.com/xiandafu/beetl/issues/I8RU01 - Exploit, Issue Tracking, Vendor Advisory

10 Feb 2024, 04:09

Type Values Removed Values Added
References () https://gitee.com/xiandafu/beetl/issues/I8RU01 - () https://gitee.com/xiandafu/beetl/issues/I8RU01 - Exploit, Issue Tracking, Vendor Advisory
CWE CWE-94
First Time Xiandafu beetl
Xiandafu
CPE cpe:2.3:a:xiandafu:beetl:3.15.12:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8

02 Feb 2024, 04:58

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-02 03:15

Updated : 2024-11-21 08:56


NVD link : CVE-2024-22533

Mitre link : CVE-2024-22533

CVE.ORG link : CVE-2024-22533


JSON object : View

Products Affected

xiandafu

  • beetl
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')