CVE-2022-24881
HIGHballcat/codegen < 1.0.0.beta.2 - Remote Code Execution via Template Engine Injection
Title source: llmDescription
Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.
References (3)
Core 3
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/ballcat-projects/ballcat-codegen/issues/5
Patch, Third Party Advisory x_refsource_misc
https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463b
Scores
CVSS v3
8.8
EPSS
0.0291
EPSS Percentile
85.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
CWE-94
Status
published
Products (2)
ballcat/codegen
< 1.0.0
com.hccake/ballcat-codegen
0 - 1.0.0.beta.2Maven
Published
Apr 26, 2022
Tracked Since
Feb 18, 2026