7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38286

GHSA ID

GHSA-7gj7-224w-vpr3

EPSS Score

0.28007%

CWE

CWE-77

Published

7/14/2023

Updated

6/12/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-38286

CVE-2023-38286:
Spring-boot-admin sandbox bypass via crafted HTML

Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

Spring Boot Admin 3.1.2 and 2.7.16 contain mitigations for the issue. This bypass is achived via a library called Thymeleaf which has added counter measures for this sort of bypass in version 3.1.2.RELEASE which has explicity forbidden static access to org.springframework.util in expressions. Thymeleaf itself should not be considered vulnerable.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38286

GHSA ID

GHSA-7gj7-224w-vpr3

EPSS Score

0.28007%

CWE

CWE-77

Published

7/14/2023

Updated

6/12/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
de.codecentric:spring-boot-admin-server	maven	>= 3.0.0, < 3.1.2	3.1.2
de.codecentric:spring-boot-admin-server	maven	< 2.7.16	2.7.16

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis focused on the changes made to the mailNotifierTemplateEngine function in AdminServerNotifierAutoConfiguration, which directly relates to how templates are processed for mail notifications. The change from SpringResourceTemplateResolver to ClassLoaderTemplateResolver is a key mitigation step, indicating the original configuration was potentially vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*ym*l*** t*rou** *.*.*.R*L**S* *s us** in sprin*-*oot-**min (*k* Sprin* *oot **min) t*rou** *.*.* *llows *or * s*n**ox *yp*ss vi* *r**t** *TML. T*is m*y ** r*l*v*nt *or SSTI (S*rv*r Si** T*mpl*t* Inj**tion) *n* *o** *x**ution in sprin*-*oot-**min i*

Reasoning

T** *n*lysis *o*us** on t** ***n**s m*** to t** m*ilNoti*i*rT*mpl*t**n*in* *un*tion in **minS*rv*rNoti*i*r*uto*on*i*ur*tion, w*i** *ir**tly r*l*t*s to *ow t*mpl*t*s *r* pro**ss** *or m*il noti*i**tions. T** ***n** *rom Sprin*R*sour**T*mpl*t*R*solv*r

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-38286: Spring-boot-admin sandbox bypass via crafted HTML

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-38286:
Spring-boot-admin sandbox bypass via crafted HTML

Vulnerability Intelligence
Miggo AI