Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.
References
Link | Resource |
---|---|
https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463b | Patch Third Party Advisory |
https://github.com/ballcat-projects/ballcat-codegen/issues/5 | Issue Tracking Patch Third Party Advisory |
https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79 | Exploit Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-04-26T16:06:21
Updated: 2022-04-26T16:06:21
Reserved: 2022-02-10T00:00:00
Link: CVE-2022-24881
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-04-26T16:15:47.737
Modified: 2022-05-06T13:14:40.147
Link: CVE-2022-24881
JSON object: View
Redhat Information
No data.