CVE-2024-22533

CRITICAL

Before Beetl <3.15.12 - Code Injection

Title source: llm

Description

Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.

Exploits (1)

gitee 643 stars

by xiandafu · javawriteup

https://gitee.com/xiandafu/beetl/issues/I8RU01

View on gitee

References (1)

[Exploit, Issue Tracking, Vendor Advisory] https://gitee.com/xiandafu/beetl/issues/I8RU01

Scores

CVSS v3 9.8

EPSS 0.0077

EPSS Percentile 73.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

com.ibeetl/beetl-core 0 - 3.15.13.RELEASEMaven

xiandafu/beetl 3.15.12

Published Feb 02, 2024

Tracked Since Feb 18, 2026