GHSA-7gj7-224w-vpr3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7gj7-224w-vpr3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-7gj7-224w-vpr3/GHSA-7gj7-224w-vpr3.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-7gj7-224w-vpr3
- Aliases
- Published
- 2023-07-14T06:31:00Z
- Modified
- 2024-06-12T22:46:02.112872Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Spring-boot-admin sandbox bypass via crafted HTML
- Details
-
Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
Spring Boot Admin 3.1.2 and 2.7.16 contain mitigations for the issue. This bypass is achived via a library called Thymeleaf which has added counter measures for this sort of bypass in version
3.1.2.RELEASEwhich has explicity forbidden static access toorg.springframework.utilin expressions. Thymeleaf itself should not be considered vulnerable. - Database specific
{ "nvd_published_at": "2023-07-14T05:15:09Z", "cwe_ids": [ "CWE-77" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-07-14T21:50:50Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-38286
- https://github.com/codecentric/spring-boot-admin/issues/2613
- https://github.com/thymeleaf/thymeleaf/issues/966
- https://github.com/codecentric/spring-boot-admin/pull/2615
- https://github.com/codecentric/spring-boot-admin/commit/f1f6ac6f613e1c0afc121c8989f28b4155a6797a
- https://github.com/codecentric/spring-boot-admin/commit/f1f6ac6f613e1c0afc121c8989f28b4155a6797a#diff-1ea8b144c29588e08221597d56d8be10b4b4a210f248a83f2e837152a3d2e0d7
- https://github.com/codecentric/spring-boot-admin
- https://github.com/codecentric/spring-boot-admin/blob/master/spring-boot-admin-server/pom.xml
- https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI
Affected packages
Maven / de.codecentric:spring-boot-admin-server
Package
- Name
- de.codecentric:spring-boot-admin-server
- View open source insights on deps.dev
- Purl
- pkg:maven/de.codecentric/spring-boot-admin-server
Maven / de.codecentric:spring-boot-admin-server
Package
- Name
- de.codecentric:spring-boot-admin-server
- View open source insights on deps.dev
- Purl
- pkg:maven/de.codecentric/spring-boot-admin-server
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.7.16
Affected versions
1.*
1.0.2
1.0.3
1.0.4
1.0.5
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0
2.3.1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15