Jinjava, Sandbox Escape, CVE-2023-50715 (Critical)

Listen to this Post

The vulnerability exploits Jinjava’s incomplete sandbox by accessing the internal `____int3rpr3t3r____` variable to retrieve the `ObjectMapper` instance. The sandbox blocks direct access to dangerous classes like `Class` but fails to restrict JavaType. An attacker uses `mapper.getTypeFactory().constructFromCanonical(‘java.net.URL’)` to create a `JavaType` reference for a restricted class. This `JavaType` is then passed to the `readValue()` method, which deserializes attacker-controlled input (like a string containing "file:///etc/passwd") into an instance of the specified, restricted class (e.g., java.net.URL). This bypasses all sandbox protections, enabling the instantiation of powerful objects that can read files, make network requests, or chain into remote code execution.
Platform: Jinjava
Version: <=2.8.0
Vulnerability: Sandbox Escape
Severity: Critical

date: 2023-12-18

Prediction: Patch 2024-01-15

What Undercode Say:

`{{ mapper.readValue(‘”file:///etc/passwd”‘, mapper.getTypeFactory().constructFromCanonical(‘java.net.URL’)) }}`

How Exploit:

Access internal interpreter.

Traverse to ObjectMapper.

Construct JavaType for target.

Deserialize payload.

Protection from this CVE

Blacklist JavaType.

Restrict ____int3rpr3t3r____.

Update Jinjava version.

Impact:

Arbitrary File Read

SSRF

Potential RCE

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top