When time permits I will write a blog post about how I found all these vulnerabilities using CodeQL as an audit oracle. Would you read it?
CVE-2021-45046 is vulnerable when attackers can control **non-message** parts of the pattern layout. Here are some examples 🧵
#CodeQL was also used by @NASAJPL to find critical bugs on Curiosity mission 9 years ago and they were fixed remotely!
🚨 @_atorralba and I just managed to bypass the allowedLdapHost and allowedClasses checks. 2.15 with no formatMsgNoLookups mitigations is still vulnerable to RCE. 2.15.0 w/o those mitigations is vulnerable only if attackers can control non-message parts of the pattern layout🚨
Most Java apps working with databases have configuration files where you specify the JNDI address to fetch the JDBC datasource. Please do not start requesting CVEs for them 🙏🏼
Had some fun with OGNL sandboxes last year. Read how I bypassed Atlassian Confluence and Struts ones in my latest blog post
