You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The org.springframework.util package contains a series of classes that, when accessed statically from SpringEL expressions included in Thymeleaf templates, might allow the execution of code from those templates. Generally there is no real reason for web applications to use classes from this package directly from Thymelaef templates — if there is a case where it is strictly necessary, a wrapper class in an application package could be created.
IMPORTANT
Note that attacks based on the execution of this kind of expression specifically require write access to template code, or Thymeleaf being executed on an application that somehow allows template code to be altered externally, as seems to be the case of Spring Boot Admin in CVE-2023-38286.
The text was updated successfully, but these errors were encountered:
In my opinion this is a Spring Boot Admin bug, not a Thymeleaf bug. In general I don't think Thymeleaf should filter what classes can be used or not used. You offer a powerful tool that can do anything and the user should be aware of it.
Just stumbled across a similar security problem involving hsqldb here. They "fixed it" by means of a system property:
The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
I would make use of something similar in Thymeleaf, eventually.
The
org.springframework.util
package contains a series of classes that, when accessed statically from SpringEL expressions included in Thymeleaf templates, might allow the execution of code from those templates. Generally there is no real reason for web applications to use classes from this package directly from Thymelaef templates — if there is a case where it is strictly necessary, a wrapper class in an application package could be created.IMPORTANT
Note that attacks based on the execution of this kind of expression specifically require write access to template code, or Thymeleaf being executed on an application that somehow allows template code to be altered externally, as seems to be the case of Spring Boot Admin in CVE-2023-38286.
The text was updated successfully, but these errors were encountered: