CVE-2023-45303: 
Java vulnerability analysis and mitigation

ThingsBoard before version 3.5 contains a Server-Side Template Injection vulnerability (CVE-2023-45303) that affects users who have permissions to modify email templates. The vulnerability exists because Apache FreeMarker supports freemarker.template.utility.Execute functionality for content sent to the /api/admin/settings endpoint. The vulnerability was discovered and disclosed in October 2023 (NVD, USD HeroLab).

The vulnerability leverages Apache FreeMarker's template engine capabilities, specifically the freemarker.template.utility.Execute class, which can be exploited through email template modification. The CVSS v3.1 base score is 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a severe security risk. The vulnerability can be triggered by injecting malicious template code into the email templates that are processed by the FreeMarker engine (NVD).

Successful exploitation of this vulnerability allows authenticated users with email template modification permissions to execute arbitrary commands on the underlying system. This can lead to complete system compromise, as attackers can execute operating system commands with the same privileges as the account running ThingsBoard (USD HeroLab).

The primary mitigation is to upgrade ThingsBoard to version 3.5 or later. For systems that cannot be immediately upgraded, it is recommended to define templates statically where possible and ensure proper input validation for dynamically generated templates. Additionally, using templating engines that are not Turing-complete can help separate the template engine from the underlying system (USD HeroLab).