Lucene search

GitHub_MCVELIST:CVE-2022-24881

HistoryApr 26, 2022 - 4:06 p.m.

CVE-2022-24881 Command Injection in Ballcat Codegen

2022-04-2616:06:21

CWE-94

GitHub_M

www.cve.org

cve-2022-24881

command injection

ballcat codegen

remote code execution

template injection

velocity

freemarker

input verification

security update

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.013

Percentile

86.0%

JSON

Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.

CNA Affected

[
  {
    "product": "ballcat-codegen",
    "vendor": "ballcat-projects",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.0.0.beta.2"
      }
    ]
  }
]

References

github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463b

github.com/ballcat-projects/ballcat-codegen/issues/5

github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.013

Percentile

86.0%

JSON

Related for CVELIST:CVE-2022-24881