Jinjava Sandbox Escape Vulnerability Allowing Arbitrary Class Instantiation and Potential Remote Code Execution

A vulnerability in Jinjava versions prior to 2.8.1 allows for sandbox escape by exploiting the ObjectMapper's deserialization capabilities. By using the JavaType class to construct arbitrary types, an attacker can instantiate classes like java.net.URL, access local files, and with further exploitation, potentially execute remote code. This issue arises because Jinjava's restrictions on dangerous methods can be bypassed, enabling the creation of semi-arbitrary class instances that can be leveraged for malicious purposes.

Impact

Exploitation of this vulnerability escapes the Jinjava sandbox, allowing the instantiation of various classes through JavaType. This could be used to read arbitrary files or perform server-side request forgery (SSRF) by creating network-related objects. In some environments, this could lead to complete remote code execution.

Reproduction

To reproduce this vulnerability, first, upload a Jinjava template that accesses the built-in variable '____int3rpr3t3r____', which refers to the JinjavaInterpreter instance. The template can invoke the 'readValue' method of the ObjectMapper to deserialize input into arbitrary classes, such as 'java.net.URL'. Once a URL object is created, it can be used to read local files, like '/etc/passwd'. This vulnerability can be chained to achieve remote code execution, depending on the instantiated class and the environment.

Remediation

Users can upgrade to Jinjava version 2.8.1 or later, where this vulnerability has been fixed.