Hello folks,
I'm not sure if this is the proper mailing list to discuss such
information. Anyway I looked at the reported security vulnerability and
it seems to be not critical unless the solution deployed has the ability
to modify FTL files on the server. So it may not be critical depending
on the type of solution being deployed as you must be able to inject an
FTL template and evaluate it to get access to a class loader and then
use it to inject malicious code.
Regards,
On 3/7/22 17:43, Demarcq, Arnaud wrote:
Dear dev@freemarker.apache.org<mailto:dev@freemarker.apache.org>,
We are using freemarker as our main templating engine for the various software
me and my team are maintaining.
In order to be certain our software is secure and compliant with the latest
security standards, our code is dynamically tested with Veracode. We're
currently having the latest version of freemarker flagged as dangerous because
of this CVE:
CVE-2021-46361<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361>
undefined: org.freemarker:freemarker is vulnerable to arbitrary code execution.
Remote attackers are able to inject and execute malicious scripts on the host
machine via crafted payloads to bypass security restrictions.
The option we have are:
* Waiting for a new release of freemarker that fixes this CVE
* Switching to an other templating engine (which I would like to avoid if
we can, as this would mean a breach in ascending compatibility due to syntax in
the templates).
Can you please kindly share if this issue is being actively worked on ? If it
is, do you have a tentative date for the next release ?
Many thanks and kind regards,
Arnaud DEMARCQ
