Java template framework Pebble vulnerable to command injection


Pebble, a Java templating engine, had a weakness that might let attackers get beyond its security safeguards and launch command injection attacks against host servers.

Pebble Templates’ user-friendly web application templating system, support for internationalisation, and security features like auto-escaping and a block-list method access validator that guards against command execution vulnerabilities make it practical. However, a security researcher has discovered that with the right code and template files, Pebble’s command execution defence can be defeated. Read More…