[GHSA-7gj7-224w-vpr3] Thymeleaf, as used in Spring Boot Admin, allows sandbox bypass via crafted HTML

[Subrhamanya]

Updates

• Affected products

Comments
codecentric/spring-boot-admin#2615

[darakian]

Hey @Subrhamanya, just to clarify. The fix has been back ported to the 2.x branch in 2.7.16, but the 3.x releases before 3.1.2 are still affected correct? There's that PR you link states BREAKING: default thymeleaf configuration now implmenents ClasspathResourceLoader ONLY.. Do you happen to know if thymeleaf itself has updated their behavior?

[Subrhamanya]

@darakian I think the fix was provided by spring boot admin team via this PR https://github.com/codecentric/spring-boot-admin/pull/2615/files#diff-1ea8b144c29588e08221597d56d8be10b4b4a210f248a83f2e837152a3d2e0d7 and not thymeleaf...

I am not sure if initially it was even flagged for thymeleaf.. I didn't see anywhere where thymeleaf changing their behaviour though..

[darakian]

Looking at one of the linked issues we have
thymeleaf/thymeleaf#966
it seems like thymeleaf did indeed address this in the 3.1.2.RELEASE version with thymeleaf/thymeleaf#966 / thymeleaf/thymeleaf@87b512d

Good to know that spring boot admin has their own layer of defense as well, but my question about the 3.x versions still stands if you can comment on that please :)

[Subrhamanya]

This is what I saw in the comment there. They just excluded org.springframework.util being used that's what I am seeing in the next PR. I would say this CVE explains how spring boot admin uses thymeleaf to get exploited rather than what thymeleaf has given/changed.

Also to add more on thymeleaf,

They also forbidden a couple of spring web related stuff being used as well. @darakian my question arises is this CVE is flagged for spring boot admin or we thymeleaf. The description says about spring boot admin exploiting thymeleaf rather than what thymeleaf has given. Am I missing something?

[darakian]

question arises is this CVE is flagged for spring boot admin or we thymeleaf.

That's what I'm trying to get clarity on as well. The source CVE had text which lead my to believe that it could be both
https://nvd.nist.gov/vuln/detail/CVE-2023-38286

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products...

I think we're in agreement that spring boot admin is affected so, it remains to be determined if thymeleaf is as well and I read the PR as an signal toward yes thymeleaf is affected, but I suppose you're arguing that it is not?

[Subrhamanya]

To be Frank that's what in my mind though. All the description from different sources like NVD, GitHub advisory and many giving me the same impression. The NVD link you shared clearly tells as used in spring boot admin and many more products which gives me the impression that spring boot admin and many more applications are the ones exploiting it rathen than thymeleaf. Also they explain the mailNotifier functionality of spring boot admin specifically rather than any thymeleaf functionality that they have fixed in 2.7.16 release.

[Subrhamanya]

@darakian I closed the PR by mistake. Can it be re-opened??

[darakian]

Ya, I feel like it might be the case that the original text was overly vague. I think given that the poc does not deal with anything thymeleaf specific then it's probably best to assume that thymeleaf is not affected and to rewrite our description text to be clear that this advisory is about spring boot admin only. Do you agree?

I closed the PR by mistake. Can it be re-opened??

I don't think so, but I can make the edits on my end 👍

[Subrhamanya]

Yes I agree with it. Please share me the PR with the edits. I had a release which was blocked by this CVE for spring boot admin...

[darakian]

Edits are up and live here 👍
GHSA-7gj7-224w-vpr3

[Subrhamanya]

Thanks for the help @darakian 🙏