13829 2023-10-18 20:24:41 +0300 [CVE 21] codegen 0.6.8 CVEs found 2023-10-27 19:08:40 +0300 1 1 2 ROSA-based products ROSA Fresh System (kernel, glibc, systemd, bash, PAM...) All All Linux RESOLVED INVALID CVE-2022-24881, Highest blocker --- 1 y.tumanov bugs a.proklov e.kosachev s.matveev v.potapov y.tumanov 2021.1 oldest_to_newest 69717 0 y.tumanov 2023-10-18 20:24:41 +0300 Please patch CVEs for package codegen version 0.6.8 INFO (CVEs are): codegen 0.6.8 cves found CVE-2022-24881 Desc: Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-24881 Severity: CRITICAL 70037 1 v.potapov 2023-10-20 11:53:25 +0300 *** Bug 13697 has been marked as a duplicate of this bug. *** 70039 2 v.potapov 2023-10-20 11:53:39 +0300 *** Bug 13506 has been marked as a duplicate of this bug. *** 70406 3 a.proklov 2023-10-24 03:12:17 +0300 Эта уязвимость не для нашего проекта, это для https://github.com/ballcat-projects/ballcat-codegen У нас в репах https://github.com/mysema/codegen т.е. другой проект. https://abf.io/import/codegen 70572 4 y.tumanov 2023-10-27 19:08:40 +0300 secteam_verified