Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
High vulnerability issue 'thymeleaf-spring5' dependency JAR
See original GitHub issue- Version of Thymeleaf : thymeleaf-spring5-3.0.12.RELEASE.jar
- Environment: Spring Boot - 2.5.5
- Detailed steps to reproduce your issue: Veracode ‘Software Composition Analysis’ finds below given High vulnerability issue in all versions of ‘thymeleaf-spring5’ dependency Jars.
- Any possible workarounds you may have found - No
High Severity CVE-2021-43466
Template Injection: thymeleaf-spring5 is vulnerable to template injection. An attacker can inject malicious input through the render function in AjaxThymeleafView.java, leading to remote code execution.
Can you please look into it ?
Issue Analytics
- State:
- Created 2 years ago
- Reactions:4
- Comments:25 (6 by maintainers)
Top Results From Across the Web
org.thymeleaf:thymeleaf-spring5 - Snyk Vulnerability Database
version published direct vulnerabilities
3.1.0.RELEASE 16 Nov, 2022 0. C. 0. H. 0. M. 0. L
3.1.0.RC2 7 Nov, 2022 0. C. 0. H. 0....
Read more >CVE-2021-43466 Remote code execution vulnerability report
Hi there. Recent version of Spring Boot Admin is using org.thymeleaf:thymeleaf-spring5:jar:3.0.12.RELEASE and this library is reported as ...
Read more >org.springframework.boot:spring-boot-starter-thymeleaf | Maven
Template injection in thymeleaf-spring5 ... 7.5 HIGH·GHSA-hh26-6xwr-ggv7 ... Snakeyaml vulnerable to Stack overflow leading to denial of ...
Read more >Spring Boot Security + Thymeleaf : IProcessorDialect class ...
I have changed the Maven dependency version of Thymeleaf ... The issue doesn't appear anymore, the web application starts properly, ...
Read more >thymeleaf-spring5 » 3.0.15.RELEASE - Maven Repository
pom (13 KB) jar (177 KB) View All · Central · #3671 in MvnRepository (See Top Artifacts) · 102 artifacts · Vulnerabilities from...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Just in order to reduce anxiety around this issue, I’d like to explain that CVE-2021-43466 only affects those applications that contain controllers or controller configurations that take a request parameter and directly use it, without previous filtering, as the name of the view to be rendered — which is something IMHO no one should be doing, as it is a bit like voluntarily providing a way for code injection.
This is actually just a border case that was not covered by the overall fix for this scenario that was included in 3.0.12.
Current
3.0.13-SNAPSHOTalready contains a fix, and 3.0.13 will be released very soon.@danielfernandez Do you have a rough estimation when version 3.0.13 with the fix will be available? Thanks!