CVE-2021-43466 - Remote Code Execution (RCE)
Severity: Low2021-12-10
Abstract
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
The Oxygen XML products incorporate the thymeleaf-spring as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Feedback 1.4.3 and older | Low | Oxygen Feedback 1.4.4 build 2021062217 |
Detail
CVE-2021-43466
Severity: Critical
CVSS Score: 9.8
The thymeleaf-spring third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-43466 vulnerability description. However, the Oxygen XML software products doesn't render templetes supplied by users. Therefore Oxygen XML software products are not impacted by CVE-2021-43466.
Starting with Oxygen Feedback version 1.4.4, the thymeleaf-spring package was updated to version 3.0.13, which includes a fix for this vulnerability.