CVE-2023-38286 in Thymeleafinfo

Summary

by MITRE • 07/14/2023

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/20/2025

The vulnerability CVE-2023-38286 represents a critical sandbox bypass flaw in Thymeleaf template engine versions up to 3.1.1.RELEASE when integrated with Spring Boot Admin through version 3.1.1. This vulnerability specifically affects applications that utilize the MailNotifier functionality within Spring Boot Admin, creating a potential pathway for server-side template injection attacks. The flaw occurs when crafted HTML content is processed through the template engine, allowing attackers to circumvent the intended security boundaries that should prevent arbitrary code execution.

The technical implementation of this vulnerability stems from insufficient input validation and sanitization within Thymeleaf's template processing mechanisms. When Spring Boot Admin processes notifications through the MailNotifier component, it may render user-provided content without adequate sanitization, particularly when environment variables are writable through the user interface. This creates a scenario where malicious HTML content can contain template expressions that are executed during rendering, effectively bypassing the sandbox protections designed to isolate template execution from underlying system operations. The vulnerability manifests as a direct consequence of improper template context handling and inadequate protection against template injection attacks.

The operational impact of this vulnerability extends beyond simple template manipulation to potentially enable full code execution within the application server context. Attackers who can influence template content through the UI interface and have write access to environment variables can construct malicious payloads that exploit the sandbox bypass to execute arbitrary code. This represents a severe security risk for monitoring and management applications like Spring Boot Admin, where the attack surface includes not just the application itself but also the underlying system resources accessible through environment variable manipulation. The vulnerability is particularly dangerous in environments where administrative access to the UI is available to untrusted users.

Mitigation strategies for CVE-2023-38286 should focus on immediate version upgrades to Thymeleaf 3.1.2.RELEASE or later, which contain patches addressing the sandbox bypass issue. Organizations should also implement strict input validation and sanitization for all user-provided content processed through template engines, particularly in administrative interfaces. The principle of least privilege should be enforced by restricting write access to environment variables through the UI and disabling MailNotifier functionality when not required. Security configurations should include monitoring for suspicious template content and implementing proper template context isolation. Additionally, organizations should consider implementing web application firewalls and runtime application self-protection mechanisms to detect and prevent exploitation attempts. This vulnerability aligns with CWE-74 and CWE-94 categories related to injection flaws and code execution, and maps to ATT&CK techniques involving template injection and privilege escalation through application vulnerabilities.

Reservation

07/14/2023

Disclosure

07/14/2023

Moderation

accepted

CPE

ready

EPSS

0.00875

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!