CVE-2024-41667

Summary

CVE-2024-41667 is a vulnerability affecting OpenAM, an open access management solution. In versions 15.0.3 and below, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is susceptible to template injection due to insufficient input validation. This issue arises because the developer intended to enable custom URLs for handling login but failed to restrict the `CustomLoginUrlTemplate`, making it vulnerable to arbitrary template manipulation. This vulnerability can potentially lead to serious security implications. As a mitigation measure, OpenAM introduced `TemplateClassResolver.SAFER_RESOLVER` in commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 to prevent the resolution of commonly exploited classes in FreeMarker template injection. The anticipated release of this fix is expected to be in version 15.0.4.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.