Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-7gj7-224w-vpr3] Thymeleaf, as used in Spring Boot Admin, allows sandbox bypass via crafted HTML #4530

Conversation

Subrhamanya
Copy link

Updates

  • Affected products

Comments
codecentric/spring-boot-admin#2615

@github-actions github-actions bot changed the base branch from main to Subrhamanya/advisory-improvement-4530 June 11, 2024 08:20
@darakian
Copy link
Contributor

Hey @Subrhamanya, just to clarify. The fix has been back ported to the 2.x branch in 2.7.16, but the 3.x releases before 3.1.2 are still affected correct? There's that PR you link states BREAKING: default thymeleaf configuration now implmenents ClasspathResourceLoader ONLY.. Do you happen to know if thymeleaf itself has updated their behavior?

@Subrhamanya
Copy link
Author

Subrhamanya commented Jun 12, 2024

@darakian I think the fix was provided by spring boot admin team via this PR https://github.com/codecentric/spring-boot-admin/pull/2615/files#diff-1ea8b144c29588e08221597d56d8be10b4b4a210f248a83f2e837152a3d2e0d7 and not thymeleaf...

image

I am not sure if initially it was even flagged for thymeleaf.. I didn't see anywhere where thymeleaf changing their behaviour though..

@darakian
Copy link
Contributor

Looking at one of the linked issues we have
thymeleaf/thymeleaf#966
it seems like thymeleaf did indeed address this in the 3.1.2.RELEASE version with thymeleaf/thymeleaf#966 / thymeleaf/thymeleaf@87b512d

Good to know that spring boot admin has their own layer of defense as well, but my question about the 3.x versions still stands if you can comment on that please :)

@Subrhamanya
Copy link
Author

Subrhamanya commented Jun 12, 2024

IMG_20240613_022128
This is what I saw in the comment there. They just excluded org.springframework.util being used that's what I am seeing in the next PR. I would say this CVE explains how spring boot admin uses thymeleaf to get exploited rather than what thymeleaf has given/changed.

Also to add more on thymeleaf,

IMG_20240613_023506

They also forbidden a couple of spring web related stuff being used as well. @darakian my question arises is this CVE is flagged for spring boot admin or we thymeleaf. The description says about spring boot admin exploiting thymeleaf rather than what thymeleaf has given. Am I missing something?

@darakian
Copy link
Contributor

question arises is this CVE is flagged for spring boot admin or we thymeleaf.

That's what I'm trying to get clarity on as well. The source CVE had text which lead my to believe that it could be both
https://nvd.nist.gov/vuln/detail/CVE-2023-38286

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products...

I think we're in agreement that spring boot admin is affected so, it remains to be determined if thymeleaf is as well and I read the PR as an signal toward yes thymeleaf is affected, but I suppose you're arguing that it is not?

@github-actions github-actions bot deleted the Subrhamanya-GHSA-7gj7-224w-vpr3 branch June 12, 2024 22:24
@Subrhamanya
Copy link
Author

To be Frank that's what in my mind though. All the description from different sources like NVD, GitHub advisory and many giving me the same impression. The NVD link you shared clearly tells as used in spring boot admin and many more products which gives me the impression that spring boot admin and many more applications are the ones exploiting it rathen than thymeleaf. Also they explain the mailNotifier functionality of spring boot admin specifically rather than any thymeleaf functionality that they have fixed in 2.7.16 release.

@Subrhamanya
Copy link
Author

Subrhamanya commented Jun 12, 2024

@darakian I closed the PR by mistake. Can it be re-opened??

@darakian
Copy link
Contributor

Ya, I feel like it might be the case that the original text was overly vague. I think given that the poc does not deal with anything thymeleaf specific then it's probably best to assume that thymeleaf is not affected and to rewrite our description text to be clear that this advisory is about spring boot admin only. Do you agree?

I closed the PR by mistake. Can it be re-opened??

I don't think so, but I can make the edits on my end 👍

@Subrhamanya
Copy link
Author

Yes I agree with it. Please share me the PR with the edits. I had a release which was blocked by this CVE for spring boot admin...

@darakian
Copy link
Contributor

Edits are up and live here 👍
GHSA-7gj7-224w-vpr3

@Subrhamanya
Copy link
Author

Thanks for the help @darakian 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants