[FREEMARKER-124] Security - templates can get classloader by using java.security.ProtectionDomain.getClassLoader - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.3.30
Component/s: None
Labels:
- security

Flags:

Important

Description

By using java.security.ProtectionDomain.getClassLoader templates will get access to the classloader and from there can get filesystem access and more.

See:

https://github.com/apache/freemarker/pull/62

And

https://ackcent.com/blog/in-depth-freemarker-template-injection/

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Gal Ben Ami

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Dec/19 09:19

Updated:: 07/Mar/20 14:20

Resolved:: 11/Jan/20 18:38