Remote Code Execution

Affecting com.hubspot.jinjava: jinjava artifact, versions [,2.4.6)

Do your applications use this vulnerable package? Test your applications

Overview

com.hubspot.jinjava: jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates (at least the subset of jinja in use in HubSpot content).

Affected versions of this package are vulnerable to Remote Code Execution via the com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java path. It was possible to call the getClass() method on any object.

Remediation

Upgrade com.hubspot.jinjava: jinjava to version 2.4.6 or higher.

References

CVSS Score

5.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2018-18893
CWE
CWE-94
Snyk ID
SNYK-JAVA-COMHUBSPOTJINJAVA-72881
Disclosed
03 Jan, 2019
Published
06 Jan, 2019