[
https://issues.apache.org/jira/browse/FREEMARKER-202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17463330#comment-17463330
]
Dániel Dékány commented on FREEMARKER-202:
------------------------------------------
Also on this page it seems the report says the 2.3.31 has no vulnerabilities:
[https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/apache-freemarker/java/maven/lid-135/summary]
Sadly, it's not clear what version that page you sent is based upon. Anyway, I
know about this topic and calling that method is blocked since 2.3.30.
> SRCCLR-SID-30023 - SSTI
> ------------------------
>
> Key: FREEMARKER-202
> URL: https://issues.apache.org/jira/browse/FREEMARKER-202
> Project: Apache Freemarker
> Issue Type: Bug
> Reporter: KV
> Priority: Major
> Labels: security
>
> Long-standing vulnerability.
> [https://sca.analysiscenter.veracode.com/vulnerability-database/security/server-side-template-injection-ssti/java/sid-30023]
> freemarker is vulnerable to server-side template injection (SSTI). By using
> `java.security.ProtectionDomain.getClassLoader` templates, an attacker is
> able to gain access to the classloader and subsequently the filesystem or
> execute arbitrary code on the host OS.
> Please fix ASAP.
>
> SRCCLR-SID-30023
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
