CVE-2024-41667

OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default PingOne Advanced Identity Cloud login page,they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/OpenIdentityPlatform/OpenAM/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8
https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23v

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-24 18:15

Updated : 2024-07-25 12:36

NVD link : CVE-2024-41667

Mitre link : CVE-2024-41667

CVE.ORG link : CVE-2024-41667

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2024-41667", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-07-24T18:15:05.310", "references": [{"url": "https://github.com/OpenIdentityPlatform/OpenAM/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8", "source": "security-advisories@github.com"}, {"url": "https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23v", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default PingOne Advanced Identity Cloud login page,they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4."}, {"lang": "es", "value": "OpenAM es una soluci\u00f3n de gesti\u00f3n de acceso abierto. En las versiones 15.0.3 y anteriores, el m\u00e9todo `getCustomLoginUrlTemplate` en RealmOAuth2ProviderSettings.java es vulnerable a la inyecci\u00f3n de plantillas debido al uso de la entrada del usuario. Aunque el desarrollador ten\u00eda la intenci\u00f3n de implementar una URL personalizada para manejar el inicio de sesi\u00f3n para anular la p\u00e1gina de inicio de sesi\u00f3n predeterminada de PingOne Advanced Identity Cloud, no restringieron la `CustomLoginUrlTemplate`, lo que permiti\u00f3 configurarla libremente. La confirmaci\u00f3n fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduce `TemplateClassResolver.SAFER_RESOLVER` para deshabilitar la resoluci\u00f3n de clases com\u00fanmente explotadas en la inyecci\u00f3n de plantillas de FreeMarker. Al momento de la publicaci\u00f3n, se espera que esta soluci\u00f3n forme parte de la versi\u00f3n 15.0.4."}], "lastModified": "2024-07-25T12:36:39.947", "sourceIdentifier": "security-advisories@github.com"}