High vulnerability issue 'thymeleaf-spring5' dependency JAR

[anumalasri]

• Version of Thymeleaf : thymeleaf-spring5-3.0.12.RELEASE.jar
• Environment: Spring Boot - 2.5.5
• Detailed steps to reproduce your issue: Veracode 'Software Composition Analysis' finds below given High vulnerability issue in all versions of 'thymeleaf-spring5' dependency Jars.
• Any possible workarounds you may have found - No

High Severity CVE-2021-43466
Template Injection: thymeleaf-spring5 is vulnerable to template injection. An attacker can inject malicious input through the render function in AjaxThymeleafView.java, leading to remote code execution.

Can you please look into it ?

[xtianus]

Just received a notification by Snyk.
Could please anyone give a hint of the requirements for this exploit, so that I can quickly assess the vulnerability of my sites?

[danielfernandez]

@xtianus We will provide further public details when a fix has been developed, which should be very soon. In the meantime, you can send an email to the team and we will share further details in private.

[torsten-sap]

@danielfernandez Do you have a rough estimation when version 3.0.13 with the fix will be available? Thanks!

[dmitry-weirdo]

The fix is extremely urgent since it breaks all the builds on vulnerability scanning!

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.5.0:check (default-cli) on project my-app: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] thymeleaf-3.0.12.RELEASE.jar: CVE-2021-43466
[ERROR] 
[ERROR] See the dependency-check report for more details.

[danielfernandez]

Just in order to reduce anxiety around this issue, I'd like to explain that CVE-2021-43466 only affects those applications that contain controllers or controller configurations that take a request parameter and directly use it, without previous filtering, as the name of the view to be rendered — which is something IMHO no one should be doing, as it is a bit like voluntarily providing a way for code injection.

This is actually just a border case that was not covered by the overall fix for this scenario that was included in 3.0.12.

Current 3.0.13-SNAPSHOT already contains a fix, and 3.0.13 will be released very soon.

[OrangeDog]

If it's rarely exploitable, I wouldn't expect it to have a severity of 9.8/10

[danielfernandez]

@OrangeDog there are quite a lot of things about how this CVE was registered and reported that I wouldn't have expected either. Right now the link explaining the exploit isn't even online anymore (fortunately I could read it before it disappeared), and the description simply says "combined with specific scenarios in template injection" in a hugely generic way when it refers to developers voluntarily creating a security hole in their Spring controller code that, yes, would end up making Thymeleaf execute what it shouldn't. This CVE is exactly the same as declaring it for SpringEL because, in theory, you could use it for executing whatever someone sends you in a request parameter. And as for the severity, I assume that was basically "code injection" -> "critical".

[OrangeDog]

Also, you know, the whole "responsible disclosure" thing so there's already a fix before the details are published. Perhaps you can complain and get it a more appropriate severity.

[tumbl3w33d]

and 3.0.13 will be released very soon

I'm a little surprised this didn't happen yet within 1 week after the snapshot release. Since it's a patch release, I'd think this is a no-brainer that would be executed by some automatism within minutes/hours?

[Lonzak]

I have two questions:

1.) Is this vulnerability specific only to that exact version or are previous versions vulnerable, too?
2.) Are related packages like thymeleaf-spring4-3.0.12.RELEASE.jar or thymeleaf-spring3-3.0.12.RELEASE.jar also affected?

Thank you for your transparency...

[dmitry-weirdo]

@Lonzak

It definitely affects this artifact that includes it:

    <dependency>
      <groupId>org.thymeleaf</groupId>
      <artifactId>thymeleaf-spring5</artifactId>
      <version>3.0.12.RELEASE</version>
      <scope>compile</scope>
    </dependency>

[Lonzak]

@dmitry-weirdo That is quite clear - the question was about previous versions and related packages...

[danielfernandez]

Thymeleaf 3.0.13.RELEASE has just been released.

[dmitry-weirdo]

Sounds very good. When will it and the related Spring artifact be available in the maven repo?

[OrangeDog]

@dmitry-weirdo around 11 hours ago

[dmitry-weirdo]

@OrangeDog Are you 146% sure? Then I and dependabot/renovate are both blind since we don't see anything new in the repo, see:

• https://mvnrepository.com/artifact/org.thymeleaf/thymeleaf
• https://mvnrepository.com/artifact/org.thymeleaf/thymeleaf-spring5

[OrangeDog]

@dmitry-weirdo That search index takes a while to update. The actual repo is here:
https://repo1.maven.org/maven2/org/thymeleaf/thymeleaf-spring5/3.0.13.RELEASE/

[dmitry-weirdo]

@OrangeDog Thanks for the hint. The aforementioned artifacts are now also in the search index.

However, spring-boot-starter-thymeleaf with dependency on the new thymeleaf-spring5 has not been released yet, so that I still cannot update my app :(
Even here — https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-thymeleaf/

I added a ticket for Spring boot here — spring-projects/spring-boot#28893.

[danielfernandez]

@dmitry-weirdo in order to use this new version of Thymeleaf in a Spring Boot application you only need to define this property:

<properties>
    ...
    <thymeleaf.version>3.0.13.RELEASE</thymeleaf.version>
</properties>

[dmitry-weirdo]

@danielfernandez Thank you for the hint, but it doesn't seem to fix the CVE caught by dependency-check-maven plugin and Trivy, since spring-boot-starter-thymeleaf continues to depend on org.thymeleaf:thymeleaf-spring5:jar:3.0.12.RELEASE.

[OrangeDog]

@dmitry-weirdo then you've set up your Spring Boot project incorrectly.

[chrismathews]

Can confirm. If you are inheriting from spring-boot-starter-parent (as most spring boot applications do) then overriding the relevant maven property will override the spring managed version. If you aren't inheriting from spring-boot-starter-parent then you will need to add explicit dependencyManagement configuration to your application.... this is would be generally be considered an anti-practice in spring.

In the specific issue of thymeleaf-spring5... I updated numerous applications to use 3.0.13.RELEASE with the aforementioned property two days back with zero issues.

[dmitry-weirdo]

@OrangeDog

@chrismathews

Most probably you're right.
However, I don't understand can we switch the maven dependency (i.e. version 3.0.12) off without explicitly excluding it.

Here is how my maven configs look like:

Parent pom.xml:

    <properties>
       <!-- ... -->
        <spring-boot.version>2.6.1</spring-boot.version>
        <thymeleaf.version>3.0.13.RELEASE</thymeleaf.version> <!-- see https://github.com/thymeleaf/thymeleaf-spring/issues/263#issuecomment-984568545 -->
       <!-- ... -->
    </properties>

       <!-- ... -->

    <dependencyManagement>
           <!-- ... -->

            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-parent</artifactId>
                <version>${spring-boot.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>

           <!-- ... -->
    </dependencyManagement>

Child pom.xml:

    <!-- ... -->

    <dependencies>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <!-- ... -->
   
    </dependencies>

    <!-- ... -->

I also tried to add <thymeleaf.version>3.0.13.RELEASE</thymeleaf.version> in the child pom as well, with the same result.

Could you probably make a hint on how to switch the Thymeleaf version in this kind of configuration, please?

[chrismathews]

You aren't using spring-boot-starter-parent as the maven parent for your application... that is the problem. You should be doing:

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.6.1</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>

See https://start.spring.io/ for a complete example.

[danielfernandez]

Please note Thymeleaf 3.0.14.RELEASE has been released including additional improvements in checks related to restricted-mode detection. Updating to this new version is strongly recommended.