cbcvebase.
CVE-2024-41667
published 2024-07-24

CVE-2024-41667: OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.54%
87.8th percentile
OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default OpenAM login, they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.

Affected

1 ranges
VendorProductVersion rangeFixed in
openidentityplatformopenam< 15.0.415.0.4

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /openam/json/realms/root/realm-config/services/oauth-oidc?_action=create
urlPUT /openam/json/realms/root/realm-config/services/oauth-oidc
url/openam/oauth2/realms/root/authorize
command${value("head -n 1 /etc/passwd")}
path/openam/json/realms/root/realm-config/services/oauth-oidc
  • Detect exploitation attempts by monitoring PUT requests to /openam/json/realms/root/realm-config/services/oauth-oidc containing 'customLoginUrlTemplate' with FreeMarker template injection payloads (e.g., ${value(...)}).
  • Successful exploitation can be confirmed by detecting 'root:x:0:0:' in the URL-decoded Location header of the OAuth2 authorize response, indicating /etc/passwd content leakage.
  • Monitor for the X-Requested-With: XMLHttpRequest header combined with Content-Type: application/json on requests to OpenAM OAuth2 provider configuration endpoints as part of the exploit chain.
  • The vulnerability resides in the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java; alert on any FreeMarker template expression (${...}) set in the customLoginUrlTemplate field.
  • ·The fix (commit fcb8432aa77d5b2e147624fe954cb150c568e0b8) introduces TemplateClassResolver.SAFER_RESOLVER to restrict FreeMarker class resolution, but does NOT fully sandbox template injection — only commonly exploited classes are blocked. Custom payloads using non-blocked classes may still succeed.
  • ·The exploit requires the attacker to have sufficient privileges to set the CustomLoginUrlTemplate configuration value, as the developer did not restrict it from being freely set.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.