CVE-2022-24881
published 2022-04-26CVE-2022-24881: Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.91%
85.2th percentile
Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ballcat-projects | ballcat-codegen | < 1.0.0.beta.2 | 1.0.0.beta.2 |
| ballcat | codegen | < 1.0.0 | 1.0.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ballcat-codegen template engine remote code execution injection
ghsa·2022-04-27
CVE-2022-24881 [HIGH] CWE-20 ballcat-codegen template engine remote code execution injection
ballcat-codegen template engine remote code execution injection
### Impact
Ballcat Codegen provides the function of online editing code to generate templates.
In version < 1.0.0.beta.2, since Velocity and freemarker templates are introduced but input verification is not done, attackers can implement remote code execution through malicious code injection of the template engine.
### Patches
The fault is rectified and needs to be upgraded to the latest version.
OSV
ballcat-codegen template engine remote code execution injection
osv·2022-04-27
CVE-2022-24881 [HIGH] ballcat-codegen template engine remote code execution injection
ballcat-codegen template engine remote code execution injection
### Impact
Ballcat Codegen provides the function of online editing code to generate templates.
In version < 1.0.0.beta.2, since Velocity and freemarker templates are introduced but input verification is not done, attackers can implement remote code execution through malicious code injection of the template engine.
### Patches
The fault is rectified and needs to be upgraded to the latest version.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463bhttps://github.com/ballcat-projects/ballcat-codegen/issues/5https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463bhttps://github.com/ballcat-projects/ballcat-codegen/issues/5https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79
2022-04-26
Published