CVE-2021-23803: Incorrect Authorization

December 17, 2021 (updated December 27, 2021)

There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions.

References

github.com/nette/latte/commit/227c86eda9a8a6d060ea8501923e768b6d992210
github.com/nette/latte/issues/279
nvd.nist.gov/vuln/detail/CVE-2021-23803
snyk.io/vuln/SNYK-PHP-LATTELATTE-1932226

Detect and mitigate CVE-2021-23803 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →