JinJava Arbitrary Java Execution Vulnerability via ForTag Bypass

A critical vulnerability allowing arbitrary Java execution has been identified in JinJava, a template engine that renders Jinja templates using Django syntax. This issue affects JinJava versions 2.8.0 prior to 2.8.3 and all 2.7.x versions prior to 2.7.6. The vulnerability arises from a sandbox bypass through the ForTag class, which fails to enforce property access restrictions. As a result, it allows unauthorized access to Java object properties, instantiation of arbitrary classes, and file access, circumventing built-in security measures.

Impact

Exploitation of this vulnerability could lead to unauthorized access to restricted Java properties, arbitrary class instantiation, file system access, and potentially executing arbitrary code on the server.

Reproduction

To reproduce this vulnerability, create or edit a Jinja template that includes a for loop iterating over object properties. The ForTag class will not enforce property access restrictions, allowing access to arbitrary getter methods. Additionally, the vulnerability can be reproduced by using the ObjectMapper class to deserialize JSON into Java objects, bypassing the sandbox's type allowlist and accessing restricted classes or methods.

Remediation

Users should upgrade to JinJava version 2.8.3 or 2.7.6 to address this vulnerability.