CVE-2023-38286: Command Injection
First published: Fri Jul 14 2023(Updated: )
Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI. Spring Boot Admin 3.1.2 and 2.7.16 contain mitigations for the issue. This bypass is achived via a library called Thymeleaf which has added counter measures for this sort of bypass in version `3.1.2.RELEASE` which has explicity forbidden static access to `org.springframework.util` in expressions. Thymeleaf itself should not be considered vulnerable.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/de.codecentric:spring-boot-admin-server | <2.7.16 | 2.7.16 |
| maven/de.codecentric:spring-boot-admin-server | >=3.0.0<3.1.2 | 3.1.2 |
| Spring Boot Admin | <=3.1.0 | |
| Thymeleaf | <=3.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI
- https://nvd.nist.gov/vuln/detail/CVE-2023-38286
- https://github.com/codecentric/spring-boot-admin/issues/2613
- https://github.com/codecentric/spring-boot-admin/pull/2615
- https://github.com/codecentric/spring-boot-admin/commit/f1f6ac6f613e1c0afc121c8989f28b4155a6797a
- https://github.com/codecentric/spring-boot-admin/commit/f1f6ac6f613e1c0afc121c8989f28b4155a6797a#diff-1ea8b144c29588e08221597d56d8be10b4b4a210f248a83f2e837152a3d2e0d7
- https://github.com/codecentric/spring-boot-admin/blob/master/spring-boot-admin-server/pom.xml
- https://github.com/thymeleaf/thymeleaf/issues/966
- https://github.com/advisories/GHSA-7gj7-224w-vpr3 (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID is CVE-2023-38286.
What is the severity rating of CVE-2023-38286?
CVE-2023-38286 has a severity rating of 7.5, which is considered high.
How can this vulnerability be exploited?
This vulnerability can be exploited through crafted HTML, potentially leading to server-side template injection (SSTI) and code execution.
Which products are affected by CVE-2023-38286?
Products such as spring-boot-admin (Spring Boot Admin) versions up to 3.1.1, Codecentric Spring Boot Admin up to 3.1.0, and Thymeleaf up to 3.1.1 are affected by CVE-2023-38286.
How can I fix CVE-2023-38286?
To fix CVE-2023-38286, update the spring-boot-admin package to version 3.1.2, or check for updates from the respective product vendors.
- collector/nvd-latest
- agent/type
- agent/author
- agent/weakness
- agent/references
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7gj7-224w-vpr3
- alias/CVE-2023-38286
- agent/software-canonical-lookup
- collector/github-advisory
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- package-manager/maven
- vendor/codecentric
- canonical/spring boot admin
- version/spring boot admin/3.1.0
- vendor/thymeleaf
- canonical/thymeleaf
- version/thymeleaf/3.1.1