Vulnerabilities > CVE-2020-12668 - Incorrect Authorization vulnerability in Hubspot Jinjava
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/HubSpot/jinjava/compare/jinjava-2.5.3...jinjava-2.5.4
- https://github.com/HubSpot/jinjava/pull/426/commits/5dfa5b87318744a4d020b66d5f7747acc36b213b
- https://github.com/HubSpot/jinjava/pull/435/commits/1b9aaa4b420c58b4a301cf4b7d26207f1c8d1165
- https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.5.4
- https://securitylab.github.com/advisories/GHSL-2020-072-hubspot_jinjava
- https://github.com/HubSpot/jinjava/compare/jinjava-2.5.3...jinjava-2.5.4
- https://securitylab.github.com/advisories/GHSL-2020-072-hubspot_jinjava
- https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.5.4
- https://github.com/HubSpot/jinjava/pull/435/commits/1b9aaa4b420c58b4a301cf4b7d26207f1c8d1165
- https://github.com/HubSpot/jinjava/pull/426/commits/5dfa5b87318744a4d020b66d5f7747acc36b213b