Détail du CWE-1336

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine
Incomplete
2021-07-20
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

Informations générales

Modes d'introduction

Architecture and Design : The developer might choose a template engine that makes it easier for programmers to write vulnerable code.
Implementation : The programmer might not use engine's built-in sandboxes or other capabilities to escape or otherwise prevent template injection from untrusted input.

Plateformes applicables

Langue

Name: Java (Undetermined)
Name: PHP (Undetermined)
Name: Python (Undetermined)
Name: JavaScript (Undetermined)
Class: Interpreted (Undetermined)

Systèmes d’exploitation

Class: Not OS-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)
Name: AI/ML (Undetermined)
Class: Client Server (Undetermined)

Conséquences courantes

Portée Impact Probabilité
IntegrityExecute Unauthorized Code or Commands

Exemples observés

Références Description

CVE-2024-34359

Chain: Python bindings for LLM library do not use a sandboxed environment when parsing a template and constructing a prompt, allowing jinja2 Server Side Template Injection and code execution - one variant of a "prompt injection" attack.

CVE-2017-16783

server-side template injection in content management server

CVE-2020-9437

authentication / identity management product has client-side template injection

CVE-2020-12790

Server-Side Template Injection using a Twig template

CVE-2021-21244

devops platform allows SSTI

CVE-2020-4027

bypass of Server-Side Template Injection protection mechanism with macros in Velocity templates

CVE-2020-26282

web browser proxy server allows Java EL expressions from Server-Side Template Injection

CVE-2020-1961

SSTI involving mail templates and JEXL expressions

CVE-2019-19999

product does not use a "safe" setting for a FreeMarker configuration, allowing SSTI

CVE-2018-20465

product allows read of sensitive database username/password variables using server-side template injection

Mesures d’atténuation potentielles

Phases : Architecture and Design
Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
Phases : Implementation
Use the template engine's sandbox or restricted mode, if available.

Méthodes de détection

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efficacité : High

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notes

Since expression languages are often used in templating languages, there may be some overlap with CWE-917 (Expression Language Injection). XSS (CWE-79) is also co-located with template injection.
The interrelationships and differences between CWE-917 and CWE-1336 need to be further clarified.

Références

REF-1193

Server-Side Template Injection
James Kettle.
https://portswigger.net/research/server-side-template-injection

REF-1194

Server-Side Template Injection: RCE For The Modern Web App
James Kettle.
https://www.youtube.com/watch?v=3cT0uE7Y87s

Soumission

Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2021-07-19 +00:00 2021-07-20 +00:00 4.5

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2022-06-28 +00:00 updated Maintenance_Notes, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-07-16 +00:00 updated Applicable_Platforms, Observed_Examples
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Detection_Factors, Weakness_Ordinalities
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.