Miggo Logo
Miggo Vulnerability Database
CVE-2021-31635

CVE-2021-31635:
jFinal Server-Side Template Injection vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-31635
GHSA ID
GHSA-cgmm-c2m9-ff7r
EPSS Score
0.78467%
CWE
CWE-94
Published
6/26/2023
Updated
12/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.jfinal:jfinalmaven<= 4.9.08

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of user input in template processing functions. JFinal's template engine evaluates expressions during rendering, and the advisory explicitly identifies the 'template function' as the attack vector. The Engine.getTemplate method is the entry point for template processing, and Template.render executes the logic. Together they form the chain for SSTI exploitation when user input isn't properly sanitized, consistent with CWE-94 code injection patterns in template engines.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*rv*r-Si** T*mpl*t* Inj**tion (SSTI) vuln*r**ility in j*in*l v.*.*.** *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* t** t*mpl*t* *un*tion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* us*r input in t*mpl*t* pro**ssin* *un*tions. J*in*l's t*mpl*t* *n*in* *v*lu*t*s *xpr*ssions *urin* r*n**rin*, *n* t** **visory *xpli*itly i**nti*i*s t** 't*mpl*t* *un*tion' *s t** *tt**k v**tor. T** `