Server-Side Template Injection in Beetl Framework by Xiandafu
CVE-2024-22533

9.8CRITICAL

Key Information:

Vendor: Xiandafu
Status: Beetl
Vendor: CVE Published:; 2 February 2024

What is CVE-2024-22533?

The Beetl Framework prior to version 3.15.12 contains a server-side template injection (SSTI) vulnerability that arises from the handling of controllable incoming templates. The DefaultNativeSecurityManager applies a blacklist for input filtering, but the implementation is not sufficiently strict, allowing for potential bypass. This could lead to arbitrary code execution, posing serious security risks to applications relying on this framework. Users are advised to upgrade to mitigate this vulnerability.

References

https://gitee.com/xiandafu/beetl/issues/I8RU01

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 2, 2024
Vulnerability Reserved
Jan 11, 2024

CVE-2024-22533 Data

JSON