Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

Spring Boot Admin 3.1.2 and 2.7.16 contain mitigations for the issue. This bypass is achived via a library called Thymeleaf which has added counter measures for this sort of bypass in version `3.1.2.RELEASE` which has explicity forbidden static access to `org.springframework.util` in expressions. Thymeleaf itself should not be considered vulnerable.

Affected Packages

Maven de.codecentric:spring-boot-admin-server

Affected versions: 3.0.0 (fixed in 3.1.2)

Maven de.codecentric:spring-boot-admin-server

Affected versions: 0 (fixed in 2.7.16)

Related CVEs

CVE-2023-38286

Key Information

GHSA ID

GHSA-7gj7-224w-vpr3

Published

July 14, 2023 6:31 AM

Last Modified

June 12, 2024 10:40 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

de.codecentric:spring-boot-admin-server

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 30, 2025 6:36 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.