CVE-2023-38286 - Remote Code Execution (RCE)
Severity: None2023-10-23
Abstract
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
The Oxygen products incorporate Thymeleaf as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Web Author v25.1.0.1 and older | None | Oxygen XML Web Author 26.0.0 build 2023101015 |
Oxygen Content Fusion v5.1.1 and older | None | Oxygen Content Fusion 6.0 build 2023110109 |
Oxygen Feedback v3.0.2 and older | None | N/A |
Detail
CVE-2023-38286
Severity: High
CVSS Score: 7.5
The Thymeleaf third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-38286 vulnerability description. However, since Oxygen products does not use Spring Boot Admin Server, this vulnerability does not affect Oxygen products.
Starting with Oxygen XML Web Author v26.0.0 build 2023101015 Thymeleaf library was updated to a version which fixes this vulnerability.