CVE-2023-38286
Spring-boot-admin sandbox bypass via crafted HTML
描述
Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI. Spring Boot Admin 3.1.2 and 2.7.16 contain mitigations for the issue. This bypass is achived via a library called Thymeleaf which has added counter measures for this sort of bypass in version `3.1.2.RELEASE` which has explicity forbidden static access to `org.springframework.util` in expressions. Thymeleaf itself should not be considered vulnerable.
如何修補 CVE-2023-38286
要修補 CVE-2023-38286,請將受影響套件升級到下列已修補版本。
- —升級至 3.1.2 或更新版本
CVE-2023-38286 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 3.0.0, < 3.1.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |