CVE-2026-42555

CRITICAL9.1EPSS 0.30%

Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users

發布日:2026/5/6修改日:2026/5/14

描述

### Summary Multiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using `StandardEvaluationContext`, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. ### Impact An attacker with ADMIN credentials can: - **Execute arbitrary OS commands** via `T(java.lang.Runtime).getRuntime().exec('...')` - **Exfiltrate all environment variables** (database passwords, API keys, Keycloak secrets) via `T(java.lang.System).getenv()` - **Read JVM system properties** via `T(java.lang.System).getProperties()` - **Load arbitrary classes** via `T(java.lang.Class).forName('...')` ### Affected Components **1. DocumentMigrationService** (since 12.0.0) Exploitable through the document migration REST API: - `POST /api/management/v1/document-definition/migrate` - `POST /api/management/v1/document-definition/migration/conflicts` The malicious SpEL expression is supplied in the `source` or `target` field of a `DocumentMigrationPatch` object in the request body, using the `${...}` template syntax. - In 12.x: `com.ritense.document.service.DocumentMigrationService#handleSpelExpression` (document module) - In 13.x: same class, moved to the case module **2. Condition** (since 13.4.0) Exploitable through any admin-configured widget, dashboard, or feature that uses the `Condition` framework. The SpEL expression is supplied in the `value` field of a condition's JSON configuration. - `com.ritense.valtimo.contract.conditions.Condition#resolveValue` (contract module) This component has a significantly wider attack surface than DocumentMigrationService, as conditions are used across many modules. ### Remediation Replace `StandardEvaluationContext` with `SimpleEvaluationContext` in both affected classes, which disallows Java type references and arbitrary method invocation: ```kotlin val evaluationContext = SimpleEvaluationContext .forPropertyAccessors(MapAccessor(), jsonPropertyAccessor) .build() ```

受影響套件(3)

Maven/com.ritense.valtimo:case>= 13.0.0, < 13.23.0
Maven/com.ritense.valtimo:contract>= 13.4.0, < 13.23.0
Maven/com.ritense.valtimo:document>= 12.0.0, < 12.32.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

描述

受影響套件(3)

CVSS 分數

參考連結(3)