CVE-2024-22533: 
Java vulnerability analysis and mitigation

A server-side template injection (SSTI) vulnerability was discovered in Beetl versions up to and including 3.15.12. The vulnerability exists in the rendering template functionality where incoming templates are processed through the DefaultNativeSecurityManager blacklist filter. Due to insufficient filtering mechanisms, the blacklist can be bypassed, potentially leading to arbitrary code execution (Gitee Issue).

The vulnerability stems from the DefaultNativeSecurityManager's blacklist-based filtering approach which attempts to restrict access to dangerous classes like java.lang.Runtime, java.lang.Process, java.lang.ProcessBuilder, java.lang.Thread, java.lang.Class, java.lang.System, and packages starting with javax.* and sun.*. However, the blacklist implementation is not strict enough and can be circumvented using reflection techniques. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the affected system through template injection. The high severity score reflects the potential for complete system compromise, as attackers can bypass security controls to execute commands with the same privileges as the application running the Beetl template engine (Gitee Issue).

The recommended mitigation is to disable access to java.lang.reflect package in the security manager. A fix has been implemented in versions after 3.15.12. Users are strongly advised to upgrade to the latest version that includes these security improvements (Gitee Issue).