GHSA-9gh8-877r-g477, CVE-2024-22533
maven/com.ibeetl/beetl-core
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager block list. Because block list filtering is not strict, the block list can be bypassed, leading to arbitrary code execution.
All versions before 3.15.13.release
Upgrade to version 3.15.13.RELEASE or above.
2024-02-07
source |