CVE-2022-37767
Summary
| CVE | CVE-2022-37767 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-09-12 14:15:00 UTC |
| Updated | 2023-11-07 03:49:00 UTC |
| Description | ** DISPUTED ** Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. NOTE: the vendor disputes this because input to the Pebble templating engine is intended to include arbitrary Java code, and thus either the input should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the input. The engine is not responsible for validating the input. |
Risk And Classification
Problem Types: CWE-863
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Pebbletemplates | Pebble Templates | 3.1.5 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| command execution vulnerability in pebble 3.1.5(latest) · Issue #3 · Y4tacker/Web-Security · GitHub | MISC | github.com | |
| Vulnerability CVE-2022-37767 · Issue #625 · PebbleTemplates/pebble · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.