-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-7gj7-224w-vpr3] Thymeleaf, as used in Spring Boot Admin, allows sandbox bypass via crafted HTML #4530
Conversation
Hey @Subrhamanya, just to clarify. The fix has been back ported to the 2.x branch in |
@darakian I think the fix was provided by spring boot admin team via this PR https://github.com/codecentric/spring-boot-admin/pull/2615/files#diff-1ea8b144c29588e08221597d56d8be10b4b4a210f248a83f2e837152a3d2e0d7 and not thymeleaf... I am not sure if initially it was even flagged for thymeleaf.. I didn't see anywhere where thymeleaf changing their behaviour though.. |
Looking at one of the linked issues we have Good to know that spring boot admin has their own layer of defense as well, but my question about the 3.x versions still stands if you can comment on that please :) |
Also to add more on thymeleaf, They also forbidden a couple of spring web related stuff being used as well. @darakian my question arises is this CVE is flagged for spring boot admin or we thymeleaf. The description says about spring boot admin exploiting thymeleaf rather than what thymeleaf has given. Am I missing something? |
That's what I'm trying to get clarity on as well. The source CVE had text which lead my to believe that it could be both
I think we're in agreement that spring boot admin is affected so, it remains to be determined if thymeleaf is as well and I read the PR as an signal toward |
To be Frank that's what in my mind though. All the description from different sources like NVD, GitHub advisory and many giving me the same impression. The NVD link you shared clearly tells as used in spring boot admin and many more products which gives me the impression that spring boot admin and many more applications are the ones exploiting it rathen than thymeleaf. Also they explain the mailNotifier functionality of spring boot admin specifically rather than any thymeleaf functionality that they have fixed in 2.7.16 release. |
@darakian I closed the PR by mistake. Can it be re-opened?? |
Ya, I feel like it might be the case that the original text was overly vague. I think given that the poc does not deal with anything thymeleaf specific then it's probably best to assume that thymeleaf is not affected and to rewrite our description text to be clear that this advisory is about spring boot admin only. Do you agree?
I don't think so, but I can make the edits on my end 👍 |
Yes I agree with it. Please share me the PR with the edits. I had a release which was blocked by this CVE for spring boot admin... |
Edits are up and live here 👍 |
Thanks for the help @darakian 🙏 |
Updates
Comments
codecentric/spring-boot-admin#2615