Arbitrary Class Access Issue in Jinjava by HubSpot
CVE-2020-12668

6.5MEDIUM

Key Information:

Vendor

Hubspot

Status
Jinjava
Vendor
CVE Published:
19 February 2021

What is CVE-2020-12668?

Jinjava versions prior to 2.5.4 are susceptible to a vulnerability that enables access to arbitrary classes by executing Java methods on objects within a Jinjava context. This flaw could result in the misuse of the application’s class loader, potentially allowing an attacker to disclose sensitive files arbitrarily. It is crucial for users of Jinjava to update to version 2.5.4 or later to mitigate this risk.

References

https://github.com/HubSpot/jinjava/compare/jinjava-2.5.3....
x_refsource_MISC
https://github.com/HubSpot/jinjava/pull/426/commits/5dfa5...
x_refsource_MISC
https://github.com/HubSpot/jinjava/pull/435/commits/1b9aa...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.