Miggo Logo
Miggo Vulnerability Database
CVE-2023-30331

CVE-2023-30331: Server-side template injection in beetl

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-30331
GHSA ID
GHSA-m69h-4frq-vwq7
EPSS Score
0.4771%
CWE
-
Published
5/4/2023
Updated
11/8/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.ibeetl:beetlmaven<= 3.15.0.RELEASE

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) DefaultNativeSecurityManager's permit method only blocks specific java.lang classes but allows reflection to bypass these restrictions, as demonstrated in the POC using Class.forName() to access ScriptEngineManager. 2) The template rendering function (render) serves as the injection vector that processes attacker-controlled templates without preventing the execution of arbitrary Java code via these bypassed reflection paths. The combination of these two functions creates the SSTI vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in t** r*n**r *un*tion o* ***tl v*.**.* *llows *tt**k*rs to *x**ut* s*rv*r-si** t*mpl*t* inj**tion (SSTI) vi* * *r**t** p*ylo**.

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) `****ultN*tiv*S**urityM*n***r`'s `p*rmit` m*t*o* only *lo*ks sp**i*i* `j*v*.l*n*` *l*ss*s *ut *llows r**l**tion to *yp*ss t**s* r*stri*tions, *s **monstr*t** in t** PO* usin* `*l*ss.*orN*m*()` to ****ss