Server-Side Template Injection
High severity
GitHub Reviewed
Published
Dec 22, 2020
in
browserup/browserup-proxy
•
Updated Feb 1, 2023
Description
Reviewed
Dec 24, 2020
Published to the GitHub Advisory Database
Dec 24, 2020
Published by the National Vulnerability Database
Dec 24, 2020
Last updated
Feb 1, 2023
Impact
A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. This has been assigned CVE-2020-26282.
Patches
Effective Immediately, all users should upgrade to version 2.1.2 or higher.
Workarounds
None.
References
https://securitylab.github.com/research/bean-validation-RCE
For more information
If you have any questions or comments about this advisory:
References