CVE-2022-37767

Published: Sep 12, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. NOTE: the vendor disputes this because input to the Pebble templating engine is intended to include arbitrary Java code, and thus either the input should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the input. The engine is not responsible for validating the input.

Affected (1)

Products: Pebbletemplates: Pebble Templates

Pebbletemplates

1 product

Pebble Templates

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pebbletemplates Pebble Templates	Version 3.1.5

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://github.com/PebbleTemplates/pebble/issues/625#issuecomment-1282138635

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://github.com/Y4tacker/Web-Security/issues/3

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://github.com/PebbleTemplates/pebble/issues/625#issuecomment-1282138635

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://github.com/Y4tacker/Web-Security/issues/3

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.