| عنوان | Beetl <= 3.20.2.RELEASE Code Injection |
|---|
| الوصف | (1) Summary & Status
- Vulnerability Type: CWE-917 (Expression Language Injection) leading to RCE
- CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Score: 9.8)
- Vendor Status: Confirmed and Fixed (Issue: https://gitee.com/xiandafu/beetl/issues/IIYAWC)
- Patch: https://gitee.com/xiandafu/beetl/compare/1347394b6bb44f37a224f9a96c6252e90bd86291...07b5632b5135374421e610ba015e8439d4780214
- Affected Versions: <= 3.20.2.RELEASE
(2) Vulnerability Detail
- Prerequisites: This vulnerability is exploitable when the developer explicitly registers SpELFunction in the Beetl configuration to enable Spring Expression support. While not enabled by default, it is a standard integration feature for Spring-based applications using Beetl.
- Technical Analysis (Root Cause): The SpELFunction.call method in the beetl-spring-classic component instantiates a StandardEvaluationContext, which by default permits access to Java static classes (e.g., java.lang.Runtime) and arbitrary object instantiation. An attacker can leverage these capabilities to execute arbitrary system commands via a crafted SpEL expression payload.
(3) Proof of Concept (PoC)
POST /render HTTP/1.1
Content-Type: application/x-www-form-urlencoded
payload=${spel('T(java.lang.Runtime).getRuntime().exec("calc")')} |
|---|
| المصدر | ⚠️ https://gitee.com/xiandafu/beetl/issues/IIYAWC |
|---|
| المستخدم | pigpig (UID 97550) |
|---|
| ارسال | 23/04/2026 11:20 AM (1 شهر منذ) |
|---|
| الاعتدال | 16/05/2026 07:45 PM (23 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 364386 [xiandafu beetl حتى 3.20.2 SpELFunction SpELFunction.java تنفيذ التعليمات البرمجية عن بُعد] |
|---|
| النقاط | 20 |
|---|