CVE-2022-24881

Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ballcat:codegen:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:51

Type Values Removed Values Added
References () https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463b - Patch, Third Party Advisory () https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463b - Patch, Third Party Advisory
References () https://github.com/ballcat-projects/ballcat-codegen/issues/5 - Issue Tracking, Patch, Third Party Advisory () https://github.com/ballcat-projects/ballcat-codegen/issues/5 - Issue Tracking, Patch, Third Party Advisory
References () https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79 - Exploit, Patch, Third Party Advisory () https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79 - Exploit, Patch, Third Party Advisory
CVSS v2 : 7.5
v3 : 9.8
v2 : 7.5
v3 : 8.8

06 May 2022, 13:14

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 7.5
v3 : 9.8
References (CONFIRM) https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79 - (CONFIRM) https://github.com/ballcat-projects/ballcat-codegen/security/advisories/GHSA-fv3m-xhqw-9m79 - Exploit, Patch, Third Party Advisory
References (MISC) https://github.com/ballcat-projects/ballcat-codegen/issues/5 - (MISC) https://github.com/ballcat-projects/ballcat-codegen/issues/5 - Issue Tracking, Patch, Third Party Advisory
References (MISC) https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463b - (MISC) https://github.com/ballcat-projects/ballcat-codegen/commit/84a7cb38daf0295b93aba21d562ec627e4eb463b - Patch, Third Party Advisory
CWE CWE-20
CPE cpe:2.3:a:ballcat:codegen:*:*:*:*:*:*:*:*

26 Apr 2022, 17:21

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-26 16:15

Updated : 2024-11-21 06:51


NVD link : CVE-2022-24881

Mitre link : CVE-2022-24881

CVE.ORG link : CVE-2022-24881


JSON object : View

Products Affected

ballcat

  • codegen
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-20

Improper Input Validation