Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
iris-web vulnerable to Server Side Template Injection in reports
Vulnerability Description
Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. Due to an improper setup of Jinja2 environment, reports generation in `iris-web` is prone to a Server Side Template Injection (SSTI). Successful exploitation of the vulnerability can lead to an arbitrary Remote Code Execution. An authenticated administrator has to upload a crafted report template containing the payload. Upon generation of a report based on the weaponized report, any user can trigger the vulnerability. The vulnerability is patched in IRIS v2.4.6. No workaround is available. It is recommended to update as soon as possible. Until patching, review the report templates and keep the administrative privileges that include the upload of report templates limited to dedicated users.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
CWE-1336
Vulnerability Title
Iris 安全漏洞
Vulnerability Description
Iris是一个快速、简单但功能齐全且非常高效的 Go 网络框架。 Iris v2.4.6之前版本存在安全漏洞,该漏洞源于环境设置不当,容易受到服务器端模板注入(SSTI)的影响,成功利用该漏洞可导致任意远程执行代码。
CVSS Information
N/A
Vulnerability Type
N/A