GoogleOSV:GHSA-7GJ7-224W-VPR3Spring-boot-admin sandbox bypass via crafted HTML
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
36.8%
Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
Spring Boot Admin 3.1.2 and 2.7.16 contain mitigations for the issue. This bypass is achived via a library called Thymeleaf which has added counter measures for this sort of bypass in version 3.1.2.RELEASE which has explicity forbidden static access to org.springframework.util in expressions. Thymeleaf itself should not be considered vulnerable.
References
github.com/codecentric/spring-boot-admin
github.com/codecentric/spring-boot-admin/blob/master/spring-boot-admin-server/pom.xml
github.com/codecentric/spring-boot-admin/commit/f1f6ac6f613e1c0afc121c8989f28b4155a6797a
github.com/codecentric/spring-boot-admin/commit/f1f6ac6f613e1c0afc121c8989f28b4155a6797a#diff-1ea8b144c29588e08221597d56d8be10b4b4a210f248a83f2e837152a3d2e0d7
github.com/codecentric/spring-boot-admin/issues/2613
github.com/codecentric/spring-boot-admin/pull/2615
github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI
github.com/thymeleaf/thymeleaf/issues/966
nvd.nist.gov/vuln/detail/CVE-2023-38286
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
36.8%