CVE-2024-22533

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/com.ibeetl/beetl-core

Identifiers

GHSA-9gh8-877r-g477, CVE-2024-22533

Package Slug

maven/com.ibeetl/beetl-core

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager block list. Because block list filtering is not strict, the block list can be bypassed, leading to arbitrary code execution.

Affected Versions

All versions before 3.15.13.release

Solution

Upgrade to version 3.15.13.RELEASE or above.

Last Modified

2024-02-07

source