Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-38286

UNKNOWN
Published 2023-07-14T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-38286. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Spring-boot-admin sandbox bypass via crafted HTML

GHSA-7gj7-224w-vpr3

Advisory Details

Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI. Spring Boot Admin 3.1.2 and 2.7.16 contain mitigations for the issue. This bypass is achived via a library called Thymeleaf which has added counter measures for this sort of bypass in version `3.1.2.RELEASE` which has explicity forbidden static access to `org.springframework.util` in expressions. Thymeleaf itself should not be considered vulnerable.

Affected Packages

Maven de.codecentric:spring-boot-admin-server
ECOSYSTEM: ≥3.0.0 <3.1.2
Maven de.codecentric:spring-boot-admin-server
ECOSYSTEM: ≥0 <2.7.16

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-38286
WEB https://github.com/codecentric/spring-boot-admin/issues/2613
WEB https://github.com/thymeleaf/thymeleaf/issues/966
WEB https://github.com/codecentric/spring-boot-admin/pull/2615
WEB https://github.com/codecentric/spring-boot-admin/commit/f1f6ac6f613e1c0afc121c8989f28b4155a6797a
WEB https://github.com/codecentric/spring-boot-admin/commit/f1f6ac6f613e1c0afc121c8989f28b4155a6797a#diff-1ea8b144c29588e08221597d56d8be10b4b4a210f248a83f2e837152a3d2e0d7
PACKAGE https://github.com/codecentric/spring-boot-admin
WEB https://github.com/codecentric/spring-boot-admin/blob/master/spring-boot-admin-server/pom.xml
WEB https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI

Advisory provided by GitHub Security Advisory Database. Published: July 14, 2023, Modified: June 12, 2024

References

https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI
Published: 2023-07-14T00:00:00
Last Modified: 2024-10-30T16:01:10.933Z
Copied to clipboard!