| tiêu đề | Github ShifuML 0.12.0 Expression Language Injection |
|---|
| Mô tả | Description:
The Shifu project of ShifuML https://github.com/ShifuML/shifu is vulnerable to Java Expression Language Injection Via FilterExpression parameter.
Impact:
The quick impact here is Code Execution, but depending upon how the project is being used it can either lead to Initial Access Via Remote Code Execution or Local Privilege Escalation VIA Rce if the Shifu binary is being given sudo permission.
Steps To Reproduce:
Check out the Proof-Of-Concept Video.
RootCause:
https://github.com/ShifuML/shifu/blob/20f589158adfc011c505664cf7bdf31e36ed62fa/src/main/java/ml/shifu/shifu/core/DataPurifier.java#L53
There are multiple occurrences of JEXL.CreateExpression and evaluation.
All them can lead to Code Execution.
Mitigation:
JEXL Expression should be evaluated in a sandboxed Environment.
https://blog.gypsyengineer.com/en/security/detecting-jexl-injections-with-codeql.html |
|---|
| Nguồn | ⚠️ https://drive.google.com/file/d/1ST3dD-iwUBgBNZ8tGaBbqVi1zRh5rLND/view?usp=sharing |
|---|
| Người dùng | w3bspl01t3r (UID 39229) |
|---|
| Đệ trình | 26/12/2023 21:50 (cách đây 2 những năm) |
|---|
| Kiểm duyệt | 28/12/2023 09:48 (1 day later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 249151 [ShifuML shifu 0.12.0 Java Expression Language DataPurifier.java FilterExpression nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|