-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
There is a lot of bad information out there about this issue.
What I have gathered so far, is that this is actually a real problem, but it may not affect most configurations.
This[0] seems to be the original vulnerability analysis, and this is the example vulnerable app[1].
The main issue seems to be, that since java 9, WebDataBinder can be abused to access the classloader via the "class.module.classloader", I'm unsure exactly why "class.classloader" doesn't work, but it is probably intentionally being filtered out somehow.
The proof of concept, then access the "AccessLogValve" class via "class.classLoader.resources.context.parent.pipeline.first", which is only accessible if the application is running using a "WeappClassLoaderBase", it then configures the logger, to output an arbitrary JSP file to the webapp root directory, which can then be used to get a shell.
It looks like this issue is only exploitable if your app is deployed as a war file.
[0]: https://github.com/TheGejr/SpringShell/blob/master/Vulnerabi...