<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Scriban - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/scriban/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 02 May 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/scriban/feed.xml" rel="self" type="application/rss+xml"/><item><title>Scriban TemplateContext MemberFilter Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-05-02-scriban-sandbox-escape/</link><pubDate>Thu, 02 May 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-02-scriban-sandbox-escape/</guid><description>Scriban versions before 7.0.0 are vulnerable to a sandbox escape due to improper caching of type accessors in `TemplateContext`, leading to a `MemberFilter` bypass when a `TemplateContext` is reused, potentially exposing sensitive data.</description><content:encoded><![CDATA[<p>Scriban, a .NET templating engine, is vulnerable to a sandbox escape vulnerability affecting versions prior to 7.0.0. This vulnerability arises from the <code>TemplateContext</code> caching type accessors without clearing them upon reset. Specifically, the <code>TemplateContext</code> caches accessors based on <code>Type</code>, but these accessors are created using the <code>MemberFilter</code> and <code>MemberRenamer</code> active at the time. When a <code>TemplateContext</code> is reused with a tightened filter for subsequent renders, Scriban reuses the old accessor, potentially exposing members that should be hidden. This bypass allows unauthorized access or modification of filtered properties or fields, leading to policy bypass across requests, users, or tenants when contexts are pooled. The vulnerability is present in <code>src/Scriban/TemplateContext.cs</code> and <code>src/Scriban/Runtime/Accessors/TypedObjectAccessor.cs</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An application initializes a <code>TemplateContext</code> with a permissive <code>MemberFilter</code>, allowing access to a wide range of object members.</li>
<li>The application renders a template using the <code>TemplateContext</code>, creating a <code>TypedObjectAccessor</code> for a specific type and caching it within the <code>_memberAccessors</code> dictionary using the <code>Type</code> as the key.</li>
<li>The application calls <code>TemplateContext.Reset()</code>, which clears most of the context but crucially does <em>not</em> clear the <code>_memberAccessors</code> cache.</li>
<li>The application modifies the <code>MemberFilter</code> to be more restrictive, aiming to limit access to specific members.</li>
<li>The application renders another template using the same (reused) <code>TemplateContext</code>.</li>
<li>When the application attempts to access members of the same type as in step 2, Scriban retrieves the cached <code>TypedObjectAccessor</code> from <code>_memberAccessors</code>.</li>
<li>The cached <code>TypedObjectAccessor</code> still uses the original, permissive <code>MemberFilter</code>, bypassing the newly configured restrictive filter.</li>
<li>Sensitive data, which should have been filtered, is exposed or modified, leading to unauthorized access or policy bypass.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows unauthorized read or write access to properties and fields that should have been filtered by the <code>MemberFilter</code>. This can lead to the exposure of sensitive data, unauthorized modification of application state, and policy bypass across requests, users, or tenants. Applications that rely on <code>TemplateContext.MemberFilter</code> for sandboxing or object-exposure policy are particularly vulnerable. The vulnerability affects Scriban versions prior to 7.0.0.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Scriban version 7.0.0 or later to remediate the vulnerability (Affected Packages: nuget/scriban (vulnerable: &lt; 7.0.0)).</li>
<li>Avoid reusing <code>TemplateContext</code> instances with different <code>MemberFilter</code> configurations. Create a new <code>TemplateContext</code> for each rendering operation with a distinct <code>MemberFilter</code>.</li>
<li>Implement server-side checks to validate and sanitize data before rendering it with Scriban to mitigate the impact of potential sandbox escapes.</li>
<li>Monitor Scriban template rendering for unexpected data access patterns to detect potential exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>scriban</category><category>sandbox-escape</category><category>memberfilter-bypass</category></item><item><title>Scriban `object.to_json` Uncontrolled Recursion DoS</title><link>https://feed.craftedsignal.io/briefs/2024-01-scriban-stack-overflow/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-scriban-stack-overflow/</guid><description>The Scriban library is vulnerable to a denial-of-service attack where a specially crafted template with a self-referencing object passed to the `object.to_json` function causes unbounded recursion, leading to a `StackOverflowException` that terminates the .NET process.</description><content:encoded><![CDATA[<p>Scriban versions prior to 7.0.0 are susceptible to a denial-of-service vulnerability due to uncontrolled recursion in the <code>object.to_json</code> function. This function, used for recursive JSON serialization, lacks depth limits, circular reference detection, and stack overflow guards. A malicious Scriban template containing a self-referencing object, when processed by <code>object.to_json</code>, triggers unbounded recursion, leading to a <code>StackOverflowException</code> that terminates the hosting .NET process. This vulnerability poses a significant risk to applications embedding Scriban for user-provided templates, such as CMS platforms, email template engines, and static site generators. The vulnerability is easily exploitable, requiring only a single line of template code, and does not require authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Scriban template containing a self-referencing object. For example: <code>{{ x = {}; x.self = x; x | object.to_json }}</code>.</li>
<li>The template is submitted to an application that uses Scriban for template processing.</li>
<li>The Scriban engine parses the template and encounters the <code>object.to_json</code> function call.</li>
<li>The <code>ToJson()</code> function in <code>ObjectFunctions.cs</code> calls the vulnerable <code>WriteValue()</code> function.</li>
<li><code>WriteValue()</code> attempts to serialize the self-referencing object without proper recursion checks.</li>
<li>Due to the self-reference, <code>WriteValue()</code> enters an infinite recursion loop.</li>
<li>Each recursive call consumes stack space, eventually leading to a <code>StackOverflowException</code>.</li>
<li>The <code>StackOverflowException</code> terminates the entire .NET process hosting the Scriban engine, resulting in a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to a denial-of-service condition, crashing the entire .NET process hosting the Scriban engine. Any application embedding Scriban for user-provided templates is vulnerable. Because <code>StackOverflowException</code> cannot be caught by application code, the hosting application cannot implement try/catch to survive this. This allows an unauthenticated attacker to trivially crash services using Scriban.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Scriban version 7.0.0 or later, which includes the fix for this vulnerability.</li>
<li>If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent the use of self-referencing objects in Scriban templates.</li>
<li>Monitor application logs for signs of <code>StackOverflowException</code> errors originating from Scriban template processing.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>denial-of-service</category><category>scriban</category><category>.net</category></item><item><title>Scriban TemplateContext Reset Authorization Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-scriban-auth-bypass/</link><pubDate>Tue, 09 Jan 2024 18:23:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-scriban-auth-bypass/</guid><description>Scriban versions before 7.0.0 have an authorization bypass vulnerability due to a stale include cache surviving TemplateContext.Reset(), potentially serving previously authorized content to subsequent renders in applications reusing TemplateContext objects with request-dependent ITemplateLoaders.</description><content:encoded><![CDATA[<p>Scriban, a .NET templating engine, is vulnerable to an authorization bypass issue affecting applications that reuse <code>TemplateContext</code> objects. Specifically, versions prior to 7.0.0 do not properly clear the <code>CachedTemplates</code> collection when <code>TemplateContext.Reset()</code> is called. This can lead to a situation where an <code>ITemplateLoader</code> that resolves content based on request-specific state (e.g., user identity, tenant context) serves a stale, previously authorized template to subsequent renders, even after the context is reset. This bypass occurs because the <code>include</code> function retrieves templates from the cache without re-evaluating authorization, potentially leaking sensitive data across requests or tenants. This vulnerability could be exploited in multi-tenant or permission-sensitive applications using Scriban templates.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An application initializes a <code>TemplateContext</code> object and configures an <code>ITemplateLoader</code> that resolves template content based on the current request or user context.</li>
<li>A user (e.g., an administrator) makes a request that causes the <code>ITemplateLoader</code> to load a privileged template (e.g., &quot;admin_profile.scriban&quot;) into the <code>TemplateContext</code>.</li>
<li>The <code>include</code> function is used within the main template to load the privileged template. The compiled template is then cached in <code>CachedTemplates</code>.</li>
<li>The application calls <code>TemplateContext.Reset()</code> in an attempt to clear the context for reuse. However, <code>CachedTemplates</code> is not cleared during this reset operation.</li>
<li>A different user (e.g., a regular user) makes a subsequent request that reuses the same <code>TemplateContext</code> object.</li>
<li>The <code>include</code> function is called again, attempting to load a template.</li>
<li>The <code>TemplateContext</code> retrieves the previously cached, privileged template from <code>CachedTemplates</code> without calling <code>ITemplateLoader.Load()</code> again, bypassing the intended authorization check.</li>
<li>The regular user is served the content of the administrator's template, leading to information disclosure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows unauthorized access to sensitive information or functionality in applications using Scriban templating. The primary impact is cross-render data isolation issues, where previously authorized template content can be leaked across different requests, users, or tenants. This can lead to the exposure of sensitive data, privilege escalation, or other security breaches, depending on the content of the leaked templates. Applications that pool or reuse <code>TemplateContext</code> objects, call <code>Reset()</code> between requests, use <code>include</code> for template inclusion, and resolve included content based on request-specific state are vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Scriban version 7.0.0 or later, where this vulnerability is resolved.</li>
<li>If upgrading is not immediately feasible, avoid reusing <code>TemplateContext</code> objects across different requests or user sessions. Create a new <code>TemplateContext</code> for each request.</li>
<li>Review and audit existing Scriban templates and <code>ITemplateLoader</code> implementations to ensure that sensitive data is not inadvertently exposed through template inclusion.</li>
<li>Implement additional authorization checks within the templates themselves to verify user permissions before displaying sensitive data, even if the <code>TemplateLoader</code> is compromised.</li>
<li>Monitor the usage of <code>TemplateContext.Reset()</code> in your application and ensure that it is used correctly and does not lead to unintended data leakage.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>scriban</category><category>template-injection</category><category>authorization-bypass</category></item></channel></rss>