{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/scriban-template-engine/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Scriban Template Engine"],"_cs_severities":["high"],"_cs_tags":["scriban","dos","template-injection"],"_cs_type":"advisory","_cs_vendors":["Scriban"],"content_html":"\u003cp\u003eThe Scriban template engine is vulnerable to a denial-of-service attack due to a bypass in its \u003ccode\u003eLoopLimit\u003c/code\u003e functionality. This vulnerability, affecting Scriban versions prior to 7.0.0, allows attackers to craft template expressions that bypass the configured loop limits, leading to excessive CPU or memory consumption. The issue stems from the fact that \u003ccode\u003eLoopLimit\u003c/code\u003e only applies to script loop statements and not to expensive iteration performed inside operators and built-in functions such as \u003ccode\u003earray.size\u003c/code\u003e and string multiplication. An attacker can exploit this by submitting a single expression, like \u003ccode\u003e{{ 1..1000000 | array.size }}\u003c/code\u003e for CPU exhaustion or \u003ccode\u003e{{ 'A' * 200000000 }}\u003c/code\u003e for memory amplification, even when \u003ccode\u003eLoopLimit\u003c/code\u003e is set to a small value. This vulnerability impacts applications using Scriban with untrusted template content, including template-as-a-service systems, CMS, and email rendering systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Scriban template containing an expression designed to bypass \u003ccode\u003eLoopLimit\u003c/code\u003e. Example: \u003ccode\u003e{{ 1..1000000 | array.size }}\u003c/code\u003e or \u003ccode\u003e{{ 'A' * 200000000 }}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the malicious template to a vulnerable application that uses Scriban for template processing.\u003c/li\u003e\n\u003cli\u003eThe application parses the template using \u003ccode\u003eTemplate.Parse()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application renders the template using \u003ccode\u003etemplate.Render(context)\u003c/code\u003e with a specified \u003ccode\u003eLoopLimit\u003c/code\u003e in \u003ccode\u003eTemplateContext\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003earray.size\u003c/code\u003e function (or string multiplication) is invoked, leading to a large number of iterations or memory allocations \u003cem\u003ewithout\u003c/em\u003e respecting the \u003ccode\u003eLoopLimit\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application's CPU or memory resources are exhausted due to the uncontrolled iteration or allocation.\u003c/li\u003e\n\u003cli\u003eThe application becomes unresponsive or crashes, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for uncontrolled resource consumption, leading to denial-of-service conditions. Any application that accepts attacker-controlled templates and relies on \u003ccode\u003eLoopLimit\u003c/code\u003e is vulnerable. Observed damage includes CPU exhaustion and memory amplification. Vulnerable systems could include template-as-a-service platforms, content management systems (CMS), and email rendering systems. A successful attack can cause application downtime, impacting availability and potentially leading to data loss or corruption if the system crashes during critical operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Scriban to version 7.0.0 or later to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement additional safeguards to limit the resources available to template rendering, such as setting CPU and memory limits.\u003c/li\u003e\n\u003cli\u003eImplement input validation on templates to detect and reject potentially malicious expressions. Specifically, look for large ranges used in conjunction with \u003ccode\u003earray.size\u003c/code\u003e, or excessively large string multiplications. Deploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor application resource usage (CPU, memory) for unusual spikes during template rendering. Enable process monitoring and alerting to detect processes consuming excessive resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T12:00:00Z","date_published":"2024-01-27T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-scriban-dos/","summary":"Scriban's LoopLimit can be bypassed by crafted template expressions, allowing attackers to perform resource exhaustion through CPU or memory amplification, leading to denial of service.","title":"Scriban Template Engine LoopLimit Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-scriban-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Scriban Template Engine","version":"https://jsonfeed.org/version/1.1"}