Arbitrary Code Execution Affecting io.pebbletemplates:pebble Open this link in a new tab package, versions [,3.1.4)

Attack Complexity

Low
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-IOPEBBLETEMPLATES-538370
published

19 Dec 2019
disclosed

19 Dec 2019
credit

ismai1337

Report a new vulnerability Found a mistake?

Introduced: 19 Dec 2019

CVE-2019-19899 Open this link in a new tab CWE-358 Open this link in a new tab

How to fix?

Upgrade io.pebbletemplates:pebble to version 3.1.4 or higher.

Overview

io.pebbletemplates:pebble is a java templating engine inspired by Twig.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It allows attackers to bypass a protection mechanism (intended to block access to instances of java.lang.Class) due to getClass being accessible via the public static java.lang.Class java.lang.Class.forName(java.lang.Module,java.lang.String) signature.

Arbitrary Code Execution Affecting io.pebbletemplates:pebble Open this link in a new tab package, versions [,3.1.4)

Attack Complexity

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 19 Dec 2019

How to fix?

Overview

References