[Security] Vulnerability to Arbitrary code execution

[ego93]

Pebble Templates in all versions in vulnerable to Arbitrary code execution, only when exposing Spring beans and Servlet related objects (such as the Servlet Context). This may introduce a variety of objects which can be used to bypass the Pebble sandbox. Deep inspection of the exposed objects’ object graph allows an attacker to get access to objects that allow them to instantiate arbitrary Java objects.

This has been caught by Prisma PRISMA-2021-0114

[ebussieres]

Is it the same thing as #625 ? If yes, the CVE was disputed. Templates should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the templates.

[ego93]

I'll rise a ticket with Prisma pointing to #625

[ego93]

Prisma response:

As mentioned here - https://nvd.nist.gov/vuln/detail/CVE-2022-37767, it looks like the CVE is disputed by the vendor. The reason this is probably being triggered by Prisma is because the product by design does not do input validation it assumes all code is from a trusted source. As the vulnerability is disputed, our feed still shows this as unresolved and it is an expected behavior from the product.