-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis is based on the detailed vulnerability description provided, which clearly identifies the root cause of the Server-Side Template Injection (SSTI) vulnerability. The core of the vulnerability is in the getTemplate method within the DefaultTemplateProvider.java file. This method takes a template name, fetches the corresponding template content from the database (which can be modified by an administrator), and then creates a new FreeMarker Template object. The critical flaw is that it initializes this template with a default, unsandboxed Configuration. This default configuration permits the use of powerful and dangerous FreeMarker built-ins, such as ?new(), which allows for the instantiation of arbitrary Java objects. The provided exploit PoC demonstrates how an attacker can use this to instantiate freemarker.template.utility.Execute and pass shell commands to it, achieving RCE. The provided patch correctly remediates this by creating a secure, sandboxed Configuration that disables these dangerous features before creating the template object. The function org.openmetadata.service.util.DefaultTemplateProvider.getTemplate is therefore the explicitly vulnerable function, as it is responsible for creating the insecure template object that enables the exploit.
org.openmetadata.service.util.DefaultTemplateProvider.getTemplateopenmetadata-service/src/main/java/org/openmetadata/service/util/DefaultTemplateProvider.java
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.open-metadata:platform | maven | < 1.11.4 | 1.11.4 |