billow
billow copied to clipboard
Published
20 hours ago •
airbnb
airbnb
OGNL Expression Injection Vulnerability
Hi!
I am a staff member of QiAnXin Code Guard. In our open source code detection project, I found a OGNL Expression Injection Vulnerability in "billow". The details are as follows:
In the handleComplexSQS(), the parameters in the request are obtained by getQuery(params),
and finally the listQueuesFromQueryExpression() is passed in, followed by:
Parsing the argument as an OGNL expression!
An attacker can construct an OGNL expression for RCE
