CVE-2024-22533

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/com.ibeetl/beetl

Identifiers

GHSA-9gh8-877r-g477, CVE-2024-22533

Package Slug

maven/com.ibeetl/beetl

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager block list. Because block list filtering is not strict, the block list can be bypassed, leading to arbitrary code execution.

Affected Versions

All versions before 3.15.12

Solution

Upgrade to version 3.15.12 or above.

Last Modified

2024-02-05

source