y_project RuoYi Server-Side Template Injection Vulnerability Allowing Code Execution

A server-side template injection vulnerability has been identified in y_project RuoYi versions through 4.8.1. The issue resides in the CacheController, specifically within the '/monitor/cache/getnames' endpoint. The vulnerability arises because the 'fragment' parameter is not properly sanitized, allowing attackers to inject malicious code via crafted Thymeleaf expressions. Exploitation of this vulnerability can lead to unauthorized code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where y_project RuoYi is deployed.

Reproduction

To reproduce this vulnerability, send a POST request to the '/monitor/cache/getNames' endpoint. Include a 'fragment' parameter with a value that contains a Thymeleaf expression, such as one that uses the response object to execute code. The injected code will be executed during the processing of the template, demonstrating the server-side template injection vulnerability.

Remediation

No specific remediation is known for this vulnerability, but it is recommended to strengthen input validation and consider updating to a version of RuoYi that addresses this issue.