This repository has been archived by the owner on Jun 11, 2024. It is now read-only.
Server-Side Template Injection Vulnerability allows Remote Code Execution (RCE) via Java EL Expressions
Package
BrowserUp Proxy
(Java)
Affected versions
< v2.1.1
Patched versions
2.1.2
Impact
A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. This has been assigned CVE-2020-26282.
Patches
Effective Immediately, all users should upgrade to version 2.1.2 or higher.
Workarounds
None.
References
https://securitylab.github.com/research/bean-validation-RCE
For more information
If you have any questions or comments about this advisory: