What is CVE-2023-38286?

CVE-2023-38286 is a high-severity vulnerability affecting systems using Thymeleaf up to version 3.1.1.RELEASE and Spring Boot Admin up to version 3.1.0. This vulnerability allows a sandbox bypass via crafted HTML, potentially leading to Server Side Template Injection (SSTI) and code execution if MailNotifier is enabled and there is write access to environment variables via the user interface.

Who is impacted by this?

Users of Thymeleaf up to version 3.1.1.RELEASE and Spring Boot Admin up to version 3.1.0 are impacted. Systems running Spring Boot Admin Server with MailNotifier enabled and write access to environment variables via the user interface are particularly at risk. This can lead to a sandbox bypass, causing SSTI and code execution.

What should I do if I'm affected?

If you're affected by CVE-2023-38286, take the following steps to secure your system:

1. Disable any MailNotifier.

2. Disable write access (POST request) on the /env actuator endpoint.

3. Limit the template attribute of MailNotifier to specific options, avoiding http:// or file:/// protocols.

4. Update to a version of Spring Boot Admin Server not affected by the vulnerability.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-38286 vulnerability, also known as Thymeleaf Sandbox Bypass, is not listed in CISA's Known Exploited Vulnerabilities Catalog. It was published on July 14, 2023.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-77, which involves improper neutralization of special elements used in a command, also known as 'Command Injection'.

Learn More

For a comprehensive understanding of its description, severity, technical details, and affected software configurations, refer to the NVD page.

• NVD - CVE-2023-38286

• GitHub - SpringBootAdmin-thymeleaf-SSTI