[jira] [Resolved] (FREEMARKER-202) SRCCLR-SID-30023 - SSTI

KV (Jira) Mon, 03 Jan 2022 05:27:04 -0800


     [ 
https://issues.apache.org/jira/browse/FREEMARKER-202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


KV resolved FREEMARKER-202.
---------------------------
    Resolution: Invalid

Thanks [~ddekany] for the quick response.  Glad to see it's been remediated 
already, and I'll look into why it was being flagged incorrectly on our end.

> SRCCLR-SID-30023 - SSTI 
> ------------------------
>
>                 Key: FREEMARKER-202
>                 URL: https://issues.apache.org/jira/browse/FREEMARKER-202
>             Project: Apache Freemarker
>          Issue Type: Bug
>            Reporter: KV
>            Priority: Major
>              Labels: security
>
> Long-standing vulnerability.
> [https://sca.analysiscenter.veracode.com/vulnerability-database/security/server-side-template-injection-ssti/java/sid-30023]
> freemarker is vulnerable to server-side template injection (SSTI). By using 
> `java.security.ProtectionDomain.getClassLoader` templates, an attacker is 
> able to gain access to the classloader and subsequently the filesystem or 
> execute arbitrary code on the host OS.
> Please fix ASAP.
>  
> SRCCLR-SID-30023



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (FREEMARKER-202) SRCCLR-SID-30023 - SSTI

Reply via email to