CVE-2021-31635 – CVE-2021-31635 is a Server-Side Template Inject... (How to Fix)

Q: What is the severity of CVE-2021-31635?

CVE-2021-31635 has a CVSS score of 9.8 (CRITICAL). CVE-2021-31635 is a Server-Side Template Injection vulnerability in jFinal framework that allows remote attackers to execute arbitrary code by manipulating template functions. This affects all applications using vulnerable versions of jFinal. Attackers can achieve remote code execution with potentially devastating consequences.

📋 TL;DR

CVE-2021-31635 is a Server-Side Template Injection vulnerability in jFinal framework that allows remote attackers to execute arbitrary code by manipulating template functions. This affects all applications using vulnerable versions of jFinal. Attackers can achieve remote code execution with potentially devastating consequences.

💻 Affected Systems

Products:

jFinal Java Web Framework

Versions: v4.9.08 and earlier

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using jFinal's template engine with user-controlled input is vulnerable.

📦 What is this software?

Jfinal by Jfinal

View all CVEs affecting Jfinal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web application compromise, data theft, and potential pivot to internal network resources.

🟢

If Mitigated

Attack blocked at WAF level or prevented by input validation, resulting in no impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSTI vulnerabilities in Java frameworks are commonly exploited with publicly available payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: jFinal 4.9.09 and later

Vendor Advisory: https://github.com/jfinal/jfinal/issues/187

Restart Required: Yes

Instructions:

1. Update jFinal dependency to version 4.9.09 or later in your pom.xml or build.gradle. 2. Rebuild and redeploy your application. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for all user-controlled template parameters

WAF Rule Implementation

all

Deploy web application firewall rules to detect and block SSTI payloads

🧯 If You Can't Patch

Implement strict input validation to reject any template syntax in user inputs
Deploy network segmentation and restrict access to vulnerable applications

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency management file (pom.xml, build.gradle) for jFinal version 4.9.08 or earlier

Check Version:

grep -i jfinal pom.xml || grep -i jfinal build.gradle || check Maven/Gradle dependency tree

Verify Fix Applied:

Verify jFinal version is 4.9.09 or later in your dependencies and test template functionality with safe inputs

📡 Detection & Monitoring

Log Indicators:

Unusual template rendering errors
Java class loading from unexpected sources
Suspicious template expressions in request parameters

Network Indicators:

HTTP requests containing template syntax like ${, #{, or <% in parameters
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND ("${*" OR "#{" OR "<%" OR "%>" OR "@Runtime" OR "@ProcessBuilder")

📊 Metadata

CVE ID: CVE-2021-31635

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 26, 2023

Last Updated: December 5, 2024

🔗 References

https://github.com/jfinal/jfinal/issues/187 Issue Tracking,Third Party Advisory
https://github.com/jfinal/jfinal/issues/187 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31635, you might also want to check these: