CVE-2020-26282 – CVE-2020-26282 is a critical Server-Side Templa... (How to Fix)

Q: What is the severity of CVE-2020-26282?

CVE-2020-26282 has a CVSS score of 10.0 (CRITICAL). CVE-2020-26282 is a critical Server-Side Template Injection vulnerability in BrowserUp Proxy that allows unauthenticated attackers to inject arbitrary Java Expression Language expressions, leading to remote code execution. This affects organizations using BrowserUp Proxy for HTTP manipulation, content capture, or Selenium testing. The vulnerability enables complete system compromise on affected servers.

📋 TL;DR

CVE-2020-26282 is a critical Server-Side Template Injection vulnerability in BrowserUp Proxy that allows unauthenticated attackers to inject arbitrary Java Expression Language expressions, leading to remote code execution. This affects organizations using BrowserUp Proxy for HTTP manipulation, content capture, or Selenium testing. The vulnerability enables complete system compromise on affected servers.

💻 Affected Systems

Products:

BrowserUp Proxy

Versions: All versions before 2.1.2

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments including standalone proxy servers and Selenium test integrations. No special configuration required for exploitation.

📦 What is this software?

Browserup Proxy by Browserup

View all CVEs affecting Browserup Proxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to data theft, cryptocurrency mining, or use as part of a botnet.

🟢

If Mitigated

Limited impact if isolated in test environments with no sensitive data or network access.

🌐 Internet-Facing: HIGH - Directly exploitable without authentication via HTTP requests to the proxy server.

🏢 Internal Only: HIGH - Even internal deployments are vulnerable to any user or system that can send HTTP requests to the proxy.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attackers can send crafted HTTP requests to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.2

Vendor Advisory: https://github.com/browserup/browserup-proxy/security/advisories/GHSA-wmfg-55f9-j8hq

Restart Required: Yes

Instructions:

1. Stop BrowserUp Proxy service. 2. Update to version 2.1.2 or later using package manager or manual download. 3. Restart the service. 4. Verify the fix by checking version and testing functionality.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to BrowserUp Proxy instances using firewall rules

iptables -A INPUT -p tcp --dport [PROXY_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [PROXY_PORT] -j DROP

Disable Vulnerable Endpoints

all

Configure reverse proxy to block access to vulnerable endpoints if possible

🧯 If You Can't Patch

Immediately isolate affected systems from production networks and internet access
Implement strict network segmentation and monitor all traffic to/from BrowserUp Proxy instances

🔍 How to Verify

Check if Vulnerable:

Check BrowserUp Proxy version. If version is below 2.1.2, the system is vulnerable.

Check Version:

java -jar browserup-proxy-[version].jar --version or check startup logs

Verify Fix Applied:

Confirm version is 2.1.2 or higher and test that proxy functionality works without allowing template injection.

📡 Detection & Monitoring

Log Indicators:

Unusual Java EL expressions in HTTP requests
Unexpected process execution from proxy service
Error logs containing template parsing failures

Network Indicators:

HTTP requests containing ${...} patterns to proxy endpoints
Outbound connections from proxy server to unexpected destinations

SIEM Query:

source="browserup-proxy" AND (message="*${*" OR message="*#{*" OR message="*ExpressionLanguage*")

📊 Metadata

CVE ID: CVE-2020-26282

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-74

Published: December 24, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/browserup/browserup-proxy/commit/4b38e7a3e20917e5c3329d0d4e9590bed9d578ab Patch,Third Party Advisory
https://github.com/browserup/browserup-proxy/releases/tag/v2.1.2 Third Party Advisory
https://github.com/browserup/browserup-proxy/security/advisories/GHSA-wmfg-55f9-j8hq Third Party Advisory
https://securitylab.github.com/research/bean-validation-RCE Exploit,Third Party Advisory
https://github.com/browserup/browserup-proxy/commit/4b38e7a3e20917e5c3329d0d4e9590bed9d578ab Patch,Third Party Advisory
https://github.com/browserup/browserup-proxy/releases/tag/v2.1.2 Third Party Advisory
https://github.com/browserup/browserup-proxy/security/advisories/GHSA-wmfg-55f9-j8hq Third Party Advisory
https://securitylab.github.com/research/bean-validation-RCE Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26282, you might also want to check these: