| Titre | Beetl <= 3.20.2.RELEASE Code Injection |
|---|
| Description | (1) Summary & Status
- Vulnerability Type: CWE-917 (Expression Language Injection) leading to RCE
- CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Score: 9.8)
- Vendor Status: Confirmed and Fixed (Issue: https://gitee.com/xiandafu/beetl/issues/IIYAWC)
- Patch: https://gitee.com/xiandafu/beetl/compare/1347394b6bb44f37a224f9a96c6252e90bd86291...07b5632b5135374421e610ba015e8439d4780214
- Affected Versions: <= 3.20.2.RELEASE
(2) Vulnerability Detail
- Prerequisites: This vulnerability is exploitable when the developer explicitly registers SpELFunction in the Beetl configuration to enable Spring Expression support. While not enabled by default, it is a standard integration feature for Spring-based applications using Beetl.
- Technical Analysis (Root Cause): The SpELFunction.call method in the beetl-spring-classic component instantiates a StandardEvaluationContext, which by default permits access to Java static classes (e.g., java.lang.Runtime) and arbitrary object instantiation. An attacker can leverage these capabilities to execute arbitrary system commands via a crafted SpEL expression payload.
(3) Proof of Concept (PoC)
POST /render HTTP/1.1
Content-Type: application/x-www-form-urlencoded
payload=${spel('T(java.lang.Runtime).getRuntime().exec("calc")')} |
|---|
| La source | ⚠️ https://gitee.com/xiandafu/beetl/issues/IIYAWC |
|---|
| Utilisateur | pigpig (UID 97550) |
|---|
| Soumission | 23/04/2026 11:20 (il y a 2 mois) |
|---|
| Modérer | 16/05/2026 19:45 (23 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 364386 [xiandafu beetl jusqu’à 3.20.2 SpELFunction SpELFunction.java Exécution de code à distance] |
|---|
| Points | 20 |
|---|