Listen to this Post
The vulnerability exploits Jinjava’s incomplete sandbox by accessing the internal `____int3rpr3t3r____` variable to retrieve the `ObjectMapper` instance. The sandbox blocks direct access to dangerous classes like `Class` but fails to restrict JavaType. An attacker uses `mapper.getTypeFactory().constructFromCanonical(‘java.net.URL’)` to create a `JavaType` reference for a restricted class. This `JavaType` is then passed to the `readValue()` method, which deserializes attacker-controlled input (like a string containing "file:///etc/passwd") into an instance of the specified, restricted class (e.g., java.net.URL). This bypasses all sandbox protections, enabling the instantiation of powerful objects that can read files, make network requests, or chain into remote code execution.
Platform: Jinjava
Version: <=2.8.0
Vulnerability: Sandbox Escape
Severity: Critical
date: 2023-12-18
Prediction: Patch 2024-01-15
What Undercode Say:
`{{ mapper.readValue(‘”file:///etc/passwd”‘, mapper.getTypeFactory().constructFromCanonical(‘java.net.URL’)) }}`
How Exploit:
Access internal interpreter.
Traverse to ObjectMapper.
Construct JavaType for target.
Deserialize payload.
Protection from this CVE
Blacklist JavaType.
Restrict ____int3rpr3t3r____.
Update Jinjava version.
Impact:
Arbitrary File Read
SSRF
Potential RCE
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

