Freemarker vulnerabilitiesIssue date: 21-09-2022
Affects versions: 15.1, 14.7, 13.4
Security Issue ID
Affected Product Version(s)
15.1.0, 14.7.8, 13.4.18, and all previous versions
org.freemarker:freemarker is a "template engine"; a generic tool to generate text output (anything from HTML to auto generated source code) based on templates.
Affected versions of this package are vulnerable to Server-side Template Injection (SSTI). By allowing user input into java.security.ProtectionDomain.getClassLoader, templates will get access to the java classloader. This can be further leveraged for file system access and code execution. A low-privileged user is sufficient for exploitation of this vulnerability.
Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 15.1.1, 14.7.9, and 13.4.19