jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). This vulnerability is fixed in 2.8.1.
An attacker can exploit the mapper.getTypeFactory().constructFromCanonical() method to induce the built-in ObjectMapper to deserialize attacker-controlled input into arbitrary Java classes. This allows instantiation of classes such as java.net.URL without directly invoking restricted methods or class literals, effectively bypassing the sandbox mechanism. By chaining the obtained primitives, an attacker can gain access to local files and network resources (e.g., file:///etc/passwd), and subsequently achieve remote code execution (RCE).
An attacker can gain full control over the compromised system, including reading arbitrary local files, establishing connections to external resources, and potentially executing remote code (RCE) without requiring any privileges.
Update the HubSpot Jinjava library to version 2.8.1 or later, where the vulnerability has been fixed. Patches are available in the vendor's GitHub repository (tag jinjava-2.8.1).
HubSpot Jinjava in versions prior to 2.8.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHubspot Jinjava
APPHubspot< 2.8.1
Related vulnerabilities
HubSpot JinJava — obejście sandbox i wykonanie dowolnego kodu Java przez ForTag
Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjav...
Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELRe...
The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, w...
The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads...