CVE-2023-38286
📋 TL;DR
This CVE describes a sandbox bypass vulnerability in Thymeleaf templates that allows Server-Side Template Injection (SSTI) and potential remote code execution. It affects Spring Boot Admin when MailNotifier is enabled and attackers can modify environment variables through the UI. Systems using vulnerable versions of Thymeleaf (through 3.1.1.RELEASE) or Spring Boot Admin (through 3.1.1) are at risk.
💻 Affected Systems
- Thymeleaf
- Spring Boot Admin
📦 What is this software?
Spring Boot Admin by Codecentric
Thymeleaf by Thymeleaf
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, allowing attackers to execute arbitrary commands on the server.
Likely Case
Server-side template injection leading to information disclosure, file system access, or limited code execution depending on configuration.
If Mitigated
No impact if MailNotifier is disabled and environment variable modification is restricted via proper access controls.
🎯 Exploit Status
Exploitation requires authenticated access to modify environment variables and MailNotifier enabled. Public PoC available on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Thymeleaf 3.1.2.RELEASE or later, Spring Boot Admin 3.1.2 or later
Vendor Advisory: https://github.com/thymeleaf/thymeleaf/releases/tag/thymeleaf-3.1.2.RELEASE
Restart Required: Yes
Instructions:
1. Update Thymeleaf dependency to 3.1.2.RELEASE or later. 2. Update Spring Boot Admin to 3.1.2 or later. 3. Restart affected applications.
🔧 Temporary Workarounds
Disable MailNotifier
allDisable the MailNotifier feature in Spring Boot Admin configuration
spring.boot.admin.notify.mail.enabled=false
Restrict Environment Variable Access
allImplement access controls to prevent unauthorized modification of environment variables via UI
🧯 If You Can't Patch
- Disable MailNotifier feature immediately
- Implement strict access controls on environment variable modification endpoints
🔍 How to Verify
Check if Vulnerable:
Check Thymeleaf version in pom.xml or build.gradle (if <3.1.2) AND check Spring Boot Admin version (if <3.1.2) AND verify MailNotifier is enabled.Check Version:
For Maven: mvn dependency:tree | grep thymeleaf; For Gradle: gradle dependencies | grep thymeleafVerify Fix Applied:
Confirm Thymeleaf version is 3.1.2.RELEASE or later and Spring Boot Admin is 3.1.2 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual template rendering errors
- Suspicious environment variable modifications
- MailNotifier configuration changes
Network Indicators:
- HTTP requests to environment variable modification endpoints with unusual payloads
SIEM Query:
source="application.log" AND ("Thymeleaf" OR "template" OR "environment.variable") AND ("error" OR "exception" OR "malformed")