Remote Code Execution

2022-02-1404:07:01

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

mockserver

vulnerability

remote code execution

dynamic creation

javascript

velocity templates

cors configuration

malicious script

software

EPSS

0.003

Percentile

65.9%

JSON

mockserver-core is vulnerable to remote code execution. The use of dynamic creation of expectations using Javascript or Velocity templates and default CORS configuration in MockServer allow an attacker to inject malicious script while running MockServer locally.

References

github.com/mock-server/mockserver/blob/33ce88631b4e3d09b499caccfe1f7897f9fc8f18/mockserver-core/src/main/java/org/mockserver/templates/engine/velocity/VelocityTemplateEngine.java#L38-L41

github.com/mock-server/mockserver/commit/905f004da91ff4e6acb9b22ad6116a4e8d096359

github.com/mock-server/mockserver/issues/1141

securitylab.github.com/advisories/GHSL-2021-059-mockserver

securitylab.github.com/advisories/GHSL-2021-059-mockserver/

www.oracle.com/security-alerts/cpujan2022.html