8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41667

GHSA ID

GHSA-7726-43hg-m23v

EPSS Score

0.97152%

CWE

CWE-94

Published

7/25/2024

Updated

7/25/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-41667

CVE-2024-41667: OpenAM FreeMarker template injection

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default PingOne Advanced Identity Cloud login page,they did not restrict the CustomLoginUrlTemplate, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces TemplateClassResolver.SAFER_RESOLVER to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41667

GHSA ID

GHSA-7726-43hg-m23v

EPSS Score

0.97152%

CWE

CWE-94

Published

7/25/2024

Updated

7/25/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.openidentityplatform.openam:openam-oauth2	maven	<= 15.0.3	15.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the getCustomLoginUrlTemplate method which constructs a FreeMarker Template object using user-controlled loginUrlTemplateString. The pre-patch implementation lacked TemplateClassResolver.SAFER_RESOLVER configuration, allowing attackers to inject templates that resolve dangerous classes. The commit fix explicitly adds this security measure, confirming this as the vulnerable entry point. The CWE-94 classification and reproduction steps demonstrating RCE via template injection further validate() this analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*n*M is *n op*n ****ss m*n***m*nt solution. In v*rsions **.*.* *n* prior, t** `**t*ustomLo*inUrlT*mpl*t*` m*t*o* in R**lmO*ut**Provi**rS*ttin*s.j*v* is vuln*r**l* to t*mpl*t* inj**tion *u* to its us*** o* us*r input. *lt*ou** t** **v*lop*r int*n***

Reasoning

T** vuln*r**ility st*ms *rom t** `**t*ustomLo*inUrlT*mpl*t*` m*t*o* w*i** *onstru*ts * *r**M*rk*r T*mpl*t* o*j**t usin* us*r-*ontroll** `lo*inUrlT*mpl*t*Strin*`. T** pr*-p*t** impl*m*nt*tion l**k** `T*mpl*t**l*ssR*solv*r.S***R_R*SOLV*R` *on*i*ur*tion

8.8

Basic Information

Concerned about an active attack path?

CVE-2024-41667: OpenAM FreeMarker template injection

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI