Freemarker vulnerabilities 

Issue date: 21-09-2022
Affects versions: 15.1, 14.7, 13.4

Security Issue ID

SECURITY-367

 

Affected Product Version(s)

15.1.0, 14.7.8, 13.4.18, and all previous versions


Severity 

medium


Description

Vulnerability info

org.freemarker:freemarker is a "template engine"; a generic tool to generate text output (anything from HTML to auto generated source code) based on templates.

Affected versions of this package are vulnerable to Server-side Template Injection (SSTI). By allowing user input into java.security.ProtectionDomain.getClassLoader, templates will get access to the java classloader. This can be further leveraged for file system access and code execution. A low-privileged user is sufficient for exploitation of this vulnerability.

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 15.1.1, 14.7.9, and 13.4.19