Description

Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java.

Remediation

References

https://github.com/HubSpot/jinjava/blob/master/CHANGES.md

https://github.com/HubSpot/jinjava/pull/230

Related Vulnerabilities

CVE-2020-15168 Vulnerability in maven package org.webjars.npm:node-fetch

CVE-2021-21266 Vulnerability in maven package org.openhab.addons.bundles:org.openhab.binding.tellstick

CVE-2023-40014 Vulnerability in npm package @openzeppelin/contracts-upgradeable

CVE-2019-10288 Vulnerability in maven package de.e-nexus:jabber-server-plugin

CVE-2020-2257 Vulnerability in maven package org.jenkins-ci.plugins:validating-string-parameter

Severity

Medium

Classification

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Release Notes Third Party Advisory Patch NVD-CWE-noinfo