PebbleTemplates / pebble

Java Template Engine
https://pebbletemplates.io
BSD 3-Clause "New" or "Revised" License
1.1k stars 168 forks source link

[Security] Vulnerability to Arbitrary code execution #655

Closed ego93 closed 1 year ago

ego93 commented 1 year ago

Pebble Templates in all versions in vulnerable to Arbitrary code execution, only when exposing Spring beans and Servlet related objects (such as the Servlet Context). This may introduce a variety of objects which can be used to bypass the Pebble sandbox. Deep inspection of the exposed objects’ object graph allows an attacker to get access to objects that allow them to instantiate arbitrary Java objects.

This has been caught by Prisma PRISMA-2021-0114

ebussieres commented 1 year ago

Is it the same thing as https://github.com/PebbleTemplates/pebble/issues/625 ? If yes, the CVE was disputed. Templates should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the templates.

ego93 commented 1 year ago

I'll rise a ticket with Prisma pointing to #625

ego93 commented 1 year ago

Prisma response:

As mentioned here - https://nvd.nist.gov/vuln/detail/CVE-2022-37767, it looks like the CVE is disputed by the vendor. The reason this is probably being triggered by Prisma is because the product by design does not do input validation it assumes all code is from a trusted source. As the vulnerability is disputed, our feed still shows this as unresolved and it is an expected behavior from the product.