Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
文件名或路径的外部可控制
Vulnerability Title
Pebble 安全漏洞
Vulnerability Description
Pebble是PebbleTemplates开源的一款Java模板引擎。 Pebble存在安全漏洞,该漏洞源于容易通过include标记受到文件名或路径的外部控制,高权限攻击者可以通过制作恶意通知模板来访问敏感的本地文件。
CVSS Information
N/A
Vulnerability Type
N/A