CVE-2022-37767
CRITICALPebble Templates 3.1.5 - Incorrect Authorization Bypass via Springbok
Title source: llmDescription
Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. NOTE: the vendor disputes this because input to the Pebble templating engine is intended to include arbitrary Java code, and thus either the input should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the input. The engine is not responsible for validating the input.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory
https://github.com/PebbleTemplates/pebble/issues/625#issuecomment-1282138635
Exploit, Issue Tracking, Third Party Advisory
https://github.com/Y4tacker/Web-Security/issues/3
Scores
CVSS v3
9.8
EPSS
0.0109
EPSS Percentile
61.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (2)
io.pebbletemplates/pebble
0Maven
pebbletemplates/pebble_templates
3.1.5
Published
Sep 12, 2022
Tracked Since
Feb 18, 2026