CVE-2020-12668
MEDIUMJinjava < 2.5.4 - Arbitrary Class Access and Arbitrary File Disclosure via Java Method Calls
Title source: llmDescription
Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure.
References (5)
Core 5
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/HubSpot/jinjava/compare/jinjava-2.5.3...jinjava-2.5.4
Patch, Permissions Required, Third Party Advisory x_refsource_misc
https://github.com/HubSpot/jinjava/pull/426/commits/5dfa5b87318744a4d020b66d5f7747acc36b213b
Patch, Third Party Advisory x_refsource_misc
https://github.com/HubSpot/jinjava/pull/435/commits/1b9aaa4b420c58b4a301cf4b7d26207f1c8d1165
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.5.4
Exploit, Third Party Advisory x_refsource_misc
https://securitylab.github.com/advisories/GHSL-2020-072-hubspot_jinjava
Scores
CVSS v3
6.5
EPSS
0.0181
EPSS Percentile
75.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-863
Status
published
Products (2)
com.hubspot.jinjava/jinjava
0 - 2.5.4Maven
hubspot/jinjava
< 2.5.4
Published
Feb 19, 2021
Tracked Since
Feb 18, 2026