JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.
The vulnerability (CWE-1336 — improper neutralization of special elements in template engine) consists in the ForTag mechanism not being properly restricted by the template engine's sandbox. An attacker can craft a malicious template containing a ForTag construct that bypasses built-in restrictions and enables direct instantiation of arbitrary Java classes. As a result, access to files on the server and execution of arbitrary code in the application context are possible.
An unauthenticated attacker can remotely execute arbitrary Java code on the server (RCE), instantiate arbitrary Java classes, and gain unauthorized access to files — leading to complete takeover of the application and potentially the operating system.
HubSpot JinJava should be updated to version 2.7.6 or 2.8.3, in which the vulnerability has been fixed. Fix commits are available in the project's GitHub repository (3d02e504 and c7328dce). If immediate update is not possible, processing of untrusted templates by the template engine should be disabled.
HubSpot JinJava in versions prior to 2.7.6 and prior to 2.8.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHubspot Jinjava
APPHubspot< 2.7.62.8.0 – 2.8.3 (bez)
Related vulnerabilities
HubSpot Jinjava — ucieczka z sandbox i RCE przez deserializację szablonów
Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjav...
Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELRe...
The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, w...
The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads...