CVE-2019-19899

Vulnerability

Overview

CVE-2019-19899 describes a bypass in Pebble Templates version 3.1.2 of a protection mechanism intended to block access to instances of java.lang.Class. The root cause is that the getClass method remains accessible through the public static signature java.lang.Class.forName(java.lang.Module, java.lang.String), despite previous fixes for similar issues [1][4]. This allows attackers to circumvent the sandbox restrictions.

Exploitation

An attacker who can inject malicious templates can exploit this vulnerability by calling Class.forName with a Module object obtained via template expressions. For example, using the Pebble templating language, one can execute: {%set daInt = (1).TYPE.protectiondomain().getPermissions.elementsAsStream.findFirst().get.hashCode.TYPE.getModule %}{{(1).TYPE.protectiondomain().getPermissions.elementsAsStream.findFirst().get.hashCode.TYPE.forName(daInt,'java.lang.Runtime') }}, which returns the Runtime class [4]. This demonstrates the ability to instantiate arbitrary classes.

Impact

Successful exploitation allows attackers to bypass the sandbox and access any Java class, including java.lang.Runtime, which can lead to remote code execution or other severe security consequences. The vulnerability affects Pebble Templates before version 3.1.4.

Mitigation

The issue has been addressed in Pebble Templates version 3.1.4, which replaces the previous allowUnsafeMethod flag with a configurable Method Access Validator interface [3]. Users are advised to upgrade to 3.1.4 or later to mitigate the vulnerability.