[
https://issues.apache.org/jira/browse/FREEMARKER-205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499980#comment-17499980
]
Dániel Dékány commented on FREEMARKER-205:
------------------------------------------
That's a vulnerability in Magnolia CMS, not in FreeMarker. Therefore they mark
freemarker 2.3.31 itself is marked as vulnerable. Also, they link to PR that's
about something that was already addressed in 2.3.30 (so before 2.3.31). I will
contact Veracode, but I expect them to not do anything, just like last time.
See also: https://nvd.nist.gov/vuln/detail/CVE-2021-46361: An issue in the
Freemark Filter +of Magnolia CMS v6.2.11+ and below allows attackers to bypass
security restrictions and execute arbitrary code via a crafted FreeMarker
payload. Was fixed in +Magnolia CMS+ 6.2.12
Can we close this?
> Vulnerable to Arbitrary Code Execution
> --------------------------------------
>
> Key: FREEMARKER-205
> URL: https://issues.apache.org/jira/browse/FREEMARKER-205
> Project: Apache Freemarker
> Issue Type: Bug
> Components: engine
> Affects Versions: 2.3.31
> Reporter: Rupesh Pal
> Priority: Critical
>
> org.freemarker:freemarker is vulnerable to arbitrary code execution. Remote
> attackers are able to inject and execute malicious scripts on the host
> machine via crafted payloads to bypass security restrictions.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
