Vulnerability Description
Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ballcat | Codegen | < 1.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93abaPatchThird Party Advisory
- https://github.com/ballcat-projects/ballcat-codegen/issues/5Issue TrackingPatchThird Party Advisory
- https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3ExploitPatchThird Party Advisory
- https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93abaPatchThird Party Advisory
- https://github.com/ballcat-projects/ballcat-codegen/issues/5Issue TrackingPatchThird Party Advisory
- https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-24881?
CVE-2022-24881 is a vulnerability with a CVSS score of 8.8 (HIGH). Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of...
How severe is CVE-2022-24881?
CVE-2022-24881 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24881?
Check the references section above for vendor advisories and patch information. Affected products include: Ballcat Codegen.