cve/2024/CVE-2024-41667.md

### [CVE-2024-41667](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41667)
![](https://img.shields.io/static/v1?label=Product&message=OpenAM&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%2015.0.4%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-94%3A%20Improper%20Control%20of%20Generation%20of%20Code%20('Code%20Injection')&color=brighgreen)

### Description

OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default OpenAM login, they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/Mr-xn/Penetration_Testing_POC
- https://github.com/fkie-cad/nvd-json-data-feeds