CVE-2022-37767 INCORRECT AUTHORIZATION IN IO.PEBBLETEMPLATES:PEBBLE

[AndreyGP]

Good afternoon
Perhaps you have not seen a message about a vulnerability in one of the library components.
Thank you so much for your work!
https://devhub.checkmarx.com/cve-details/CVE-2022-37767/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea

[melistik]

Hey Andrey,
when i see it correctly this issues is still valid also for 2023 and we should maybe change to another template engine?
Is a bug-ticket reported to the author of this library?

Thx for your help

[AndreyGP]

Marten, greetings!
Yes, at the moment the problem persists and the author is aware. There is an issue PebbleTemplates/pebble#625
As I understand it, the author declines all responsibility, despite the detailed discussion of the criticality of the vulnerability in the issue.
The current version was banned by my company's security service due to a vulnerability, but we temporarily found a compromise by upgrading the version of io.pebbletemplates:pebble to 3.2.2. The corporate security service has so far allowed this solution, but version 3.2.2 also has a dependency vulnerability CVE-2023-6378
https://devhub.checkmarx.com/cve-details/CVE-2023-6378/
This dependency vulnerability is not yet a concern for corporate security teams, so upgrading the io.pebbletemplates:pebble version to 3.2.2 is a temporary workable solution.
I think it’s too early to talk about switching to a new template engine; perhaps this will be fixed in version io.pebbletemplates:pebble up to 3.2.3+.

[AndreyGP]

https://mvnrepository.com/artifact/io.pebbletemplates/pebble/3.2.2

[AndreyGP]

Hi!
Great news! A new version of the library has been released, where dependencies are closed.
https://mvnrepository.com/artifact/io.pebbletemplates/pebble/3.2.3