← voltar
CVE-2022-24881

Command Injection in Ballcat Codegen

CVSS 8.8 HIGHEPSS 2.9%CWE-94
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.8EPSS 2.9%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
26 abr 2022Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
ballcat-projects · ballcat-codegen

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463bhttps://github.com/ballcat-projects/ballcat-codegen/issues/5https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79