Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45303: Execute (FreeMarker 2.3.32 API)

ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute (for content sent to the /api/admin/settings endpoint).

CVE
Open in Source
#web#apache#java

  • java.lang.Object

    • freemarker.template.utility.Execute

  • All Implemented Interfaces:

    TemplateMethodModel, TemplateModel

public class Execute
extends java.lang.Object
implements TemplateMethodModel

Gives FreeMarker the the ability to execute external commands. Will fork a process, and inline anything that process sends to stdout in the template. Based on a patch submitted by Peter Molettiere.

BE CAREFUL! this tag, depending on use, may allow you to set something up so that users of your web application could run arbitrary code on your server. This can only happen if you allow unchecked GET/POST submissions to be used as the command string in the exec tag.

Usage:  
From java:

 SimpleHash root = new SimpleHash();

 root.put( "exec", new freemarker.template.utility.Execute() );

 ...
 

From your FreeMarker template:

 The following is executed:
 ${exec( "/usr/bin/ls" )}

 ...

    • Field Summary

      • Fields inherited from interface freemarker.template.TemplateModelNOTHING

    • Constructor Summary

      Constructors

      Constructor and Description

      Execute()

*   **Method Summary**
    
    All Methods Instance Methods Concrete Methods 
    
    Modifier and Type
    
    Method and Description
    
    java.lang.Object
    
    exec(java.util.List arguments)
    
    Executes a method call.
    
    *   **Methods inherited from class java.lang.Object**clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • Execute

        public Execute()

*   **Method Detail**
    *   **exec**
        
        public java.lang.Object exec(java.util.List arguments)
                              throws TemplateModelException
        
        Executes a method call.
        
        Specified by:
        
        exec in interface TemplateMethodModel
        
        Parameters:
        
        arguments - a List of String objects containing the values of the arguments passed to the method.
        
        Returns:
        
        the TemplateModel produced by the method, or null.
        
        Throws:
        
        TemplateModelException

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE