CVE-2024-22533: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

February 2, 2024 (updated February 6, 2024)

Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager block list. Because block list filtering is not strict, the block list can be bypassed, leading to arbitrary code execution.

References

gitee.com/xiandafu/beetl/issues/I8RU01
github.com/advisories/GHSA-9gh8-877r-g477
nvd.nist.gov/vuln/detail/CVE-2024-22533

Detect and mitigate CVE-2024-22533 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →