thymeleaf SSTI vulnerability which can cause Remote-Command-Execution

[p1n93r]

Reference to https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI

[erikpetzold]

Hi @p1n93r , thanks for reporting, we will look into this.
In any case you will need POST Access to /env, right?

For users:
This attack requires explicitly allowing POST requests in the config.
The endpoint is provided by Spring Cloud and already has security warnings in the docs: https://docs.spring.io/spring-cloud-commons/docs/current/reference/html/#endpoints

The current quick fix is to set

management:
  endpoint:
    env:
      post:
        enabled: false

(which is also the default, need only to change if you have it set to true)

We will investigate what we can do in Spring Boot Admin to make this more secure.

[p1n93r]

yes, only you have the POST Access to /env can attack success.

For springboot-admin, you can try restricting the template property of the MailNotifier to not allow protocols like file:/// or http://. Additionally, consider adding sandbox rules for Thymeleaf.

[SteKoe]

Hi @p1n93r,

we have implemented a change that just allows to load classpath resources as suggested.