CVE-2023-30331

Vulnerability

Description CVE-2023-30331 is a server-side template injection (SSTI) vulnerability in the render function of beetl v3.15.0. The root cause lies in the DefaultNativeSecurityManager's blacklist-based approach, which blocks access to classes like Runtime, Process, ProcessBuilder, and System in the java.lang package. However, this blacklist can be bypassed using Java reflection, allowing attackers to invoke arbitrary methods [2][3].

Exploitation

An attacker can inject a crafted payload that leverages Java reflection to instantiate classes such as javax.script.ScriptEngineManager and execute arbitrary code. The official PoC demonstrates using the JavaScript engine to execute OS commands, like open -a Calculator on macOS, without authentication [3]. The vulnerability requires no special privileges and can be triggered by passing malicious input to beetl's template rendering.

Impact

Successful exploitation allows remote code execution with the privileges of the application server. An attacker can execute arbitrary system commands, access sensitive data, or compromise the underlying host. This is a critical vulnerability as it enables full server control [2].

Mitigation

As of the reference reports, beetl had not released a fix. The recommended mitigation is to restrict reflection in the security manager or adopt a whitelist-based approach instead of a blacklist [4]. Users should upgrade to a patched version if available or apply workarounds to limit template input from untrusted sources.