Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Java template framework Pebble vulnerable to command injection

Java templating engine Pebble was vulnerable to a bug that could allow attackers to bypass its security mechanisms and conduct command injection attacks against host servers.

Pebble Templates is convenient because of its easy-to-use templating system for web applications, internationalization capabilities, and security features such as auto-escaping and a block-list method access validator that prevents command execution attacks.

However, according to the findings of a security researcher, Pebble’s command execution defense can be bypassed with carefully crafted code and template files.

Bypassing Pebble security

The bypass works when Pebble is used in combination with Spring, a popular Java application framework. Many Spring classes are registered as beans, which enables them to be loaded dynamically at runtime.

Using the Java beans engine, the attacker can load one of the Spring objects that supports class loading.

It then uses the Jackson, a data-parsing library, to read an XML file that contains the specification of a class to instantiate and a function to run. This provides the attacker with a window to run arbitrary code on the server.

In a proof of concept, the researcher used a Pebble template to load an XML file from the web and instantiate a Java class that supports running system commands on the server.

No easy fix yet

The bug report has sparked conversation on GitHub. Since the vulnerability has been assigned a CVE, it is triggering security alerts in corporate systems that depend on the current version of Pebble.

The developers are working on a fix, but since it is a community-driven project, it is not clear when it will be released. The maintainers have provided a few workarounds to secure projects in the meantime.

It is worth noting that to exploit the bug, an attacker would need to have a way to upload a malicious Pebble template on the server. Therefore, one defense measure would be to harden security checks on user-provided content and restrict template uploads.

The Daily Swig has reached out to the maintainers of Pebble and will update this post if and when we hear back.

Source: https://portswigger.net/daily-swig/java-template-framework-pebble-vulnerable-to-command-injection

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO