CVE-2022-24881: 
Java vulnerability analysis and mitigation

Ballcat Codegen, prior to version 1.0.0.beta.2, contained a remote code execution vulnerability (CVE-2022-24881) in its online code generation template functionality. The vulnerability was discovered and disclosed on April 25, 2022, affecting the template engine components that utilize both Velocity and Freemarker templates (GitHub Advisory).

The vulnerability stems from insufficient input validation in both Velocity and Freemarker template implementations. The CVSS v3.1 score for this vulnerability is 8.8 (HIGH), while the CVSS v2.0 score is 9.0 (HIGH). The vulnerability is classified under CWE-94 (Code Injection) and CWE-20 (Improper Input Validation) (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary code remotely through malicious template injection. Attackers can craft specially formatted templates using either Velocity or Freemarker syntax to achieve remote code execution on the affected system (GitHub Advisory).

The vulnerability was patched in version 1.0.0.beta.2 with commit 84a7cb3, which implemented security policies for both template engines. The fix includes using TemplateClassResolver.SAFER_RESOLVER for Freemarker and SecureUberspector for Velocity engine. Users are strongly advised to upgrade to version 1.0.0.beta.2 or later (GitHub Commit).

The vulnerability has been observed being targeted in attacks against financial services organizations, highlighting its significance in real-world attack scenarios (Akamai Report).