CVE-2021-43466 - Remote Code Execution (RCE)

Severity: Low2021-12-10

Security Advisories

Abstract

In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.

The Oxygen XML products incorporate the thymeleaf-spring as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback 1.4.3 and olderLow Oxygen Feedback 1.4.4 build 2021062217

Mitigation

None

Detail

CVE-2021-43466

Severity: Critical

CVSS Score: 9.8

The thymeleaf-spring third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-43466 vulnerability description. However, the Oxygen XML software products doesn't render templetes supplied by users. Therefore Oxygen XML software products are not impacted by CVE-2021-43466.

Starting with Oxygen Feedback version 1.4.4, the thymeleaf-spring package was updated to version 3.0.13, which includes a fix for this vulnerability.

List of Security Advisories