| Título | Kingdee Cloud-Starry-Sky Enterprise Edition V8.2 Remote Arbitrary Code Execution Vulnerability ( RCE ) |
|---|
| Descripción | 1.Vulnerability Name
Remote Arbitrary Code Execution Vulnerability (RCE) of Kingdee Cloud-Starry-Sky Enterprise Edition
2.Vulnerability contributor and submitter: caichaoxiong
3.Manufacturer and product information:
Manufacturer information: https://www.kingdee.com/products/galaxy.html
4.Vulnerability Level
Critical.
5.Vulnerability Description
Attackers can inject malicious code into the Freemarker template engine of Kingdee Cloud Star BBC Mall (Tomcat-BBCMallSite) without authentication, and exploit the security flaws of the template engine rendering mechanism to remotely execute arbitrary code on the server side, causing a remote arbitrary code execution vulnerability (RCE). Attackers can obtain sensitive data information of the Kingdee Cloud Star server and control the control system to conduct in-depth intranet penetration attacks, posing serious threats.
6.Repair Plan
Avoid template splicing to accept user input data.
Since version 2.3.17, the official version provides three TemplateClassResolver to parse classes:
UNRESTRICTED_RESOLVER: Any class can be obtained through ClassUtil.forName(className);
SAFER_RESOLVER: Cannot load the three classes freemarker.template.utility.JythonRuntime, freemarker.template.utility.Execute, freemarker.template.utility.ObjectConstructor.
ALLOWS_NOTHING_RESOLVER: No classes can be resolved.
Therefore, you can directly use configuration.setNewBuiltinClassResolver to set it to SAFER_RESOLVER or ALLOWS_NOTHING_RESOLVER. For dangerous built-in function APIs (the API is closed by default since version 2.3.22 and is false by default), avoid using configuration.setAPIBuiltinEnabled(true); just enable the API . |
|---|
| Fuente | ⚠️ https://wx.mail.qq.com/s?k=-EjewV0bTnc1HRsSNE |
|---|
| Usuario | caichaoxiong (UID 84060) |
|---|
| Sumisión | 2025-06-20 11:57 (hace 12 meses) |
|---|
| Moderación | 2025-06-27 07:19 (7 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 314072 [Kingdee Cloud-Starry-Sky Enterprise Edition 6.x/7.x/8.x/9.0 Freemarker Engine DynamicForm 4 Action.class plugin.buildMobilePopHtml Ejecución remota de código] |
|---|
| Puntos | 17 |
|---|