| 제목 | ChestnutCMS <=15.1 code execution |
|---|
| 설명 | ChestnutCMS is an enterprise-level content management system with front and back end separation.Before version 5.1, the system supported online execution of Groovy scripts after login. Based on code analysis, it was determined that the dev-api/groovy/exec API endpoint accepts json format data as input. The json data is then passed to the BaseGroovyScript script = GroovyScriptFactory.getInstance().loadNewInstance(scriptBody.getScriptText() method for instantiation and execution via script.run(). However, the script content is not verified, and since this feature is exposed to the frontend, it poses a significant security risk.
@RestController
@RequiredArgsConstructor
@RequestMapping("/groovy")
public class GroovyController {
@Log (title = "Execute Groovy script", businessType = BusinessType.UPDATE)
@Priv(type = AdminUserType.TYPE, value = SysMenuPriv.GroovyExec)
@PostMapping("/exec")
public R<?> execGroovyScript(@RequestBody @Validated ScriptBody scriptBody) throws Exception {
StringWriter writer = new StringWriter();
PrintWriter printWriter = new PrintWriter(writer);
try {
BaseGroovyScript script = GroovyScriptFactory.getInstance().loadNewInstance(scriptBody.getScriptText());
script.setPrintWriter(printWriter);
script.run();
} catch (Exception e) {
e.printStackTrace(printWriter);
}
return R.ok(writer.toString());
}
@Getter
@Setter
static class ScriptBody {
@NotEmpty
private String scriptText;
}
} |
|---|
| 원천 | ⚠️ https://github.com/byxs0x0/cve/issues/7 |
|---|
| 사용자 | wanglun (UID 73616) |
|---|
| 제출 | 2025. 05. 30. AM 04:15 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 06. 03. PM 06:44 (5 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 311002 [ChestnutCMS 까지 15.1 API Endpoint /dev-api/groovy/exec 권한 상승] |
|---|
| 포인트들 | 20 |
|---|