CVE-2024-22533 — Beetl Server-Side Template Injection vulnerability

Description

Before Beetl v3.15.13.RELEASE, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.

How to fix CVE-2024-22533

To remediate CVE-2024-22533, upgrade the affected package to a fixed version below.

—upgrade to 3.15.13.RELEASE or later

Is CVE-2024-22533 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.15.13.RELEASE

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-22533
PATCHgitee.com/xiandafu/beetl
WEBgitee.com/xiandafu/beetl/issues/I8RU01