CVE-2022-37767

Name of the Vulnerable Software and Affected Versions Pebble Templates version 3.1.5

Description The issue allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. It is noted that the vendor disputes this, as input to the Pebble templating engine is intended to include arbitrary Java code. The vendor suggests that either the input should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the input, as the engine is not responsible for validating the input.

Recommendations For version 3.1.5, consider applying restrictions to the input of the Pebble templating engine to prevent arbitrary code execution, or ensure that the input does not arrive from an untrusted source. As a temporary workaround, consider restricting the use of the springbok functionality until a more robust solution is implemented.