Hi, They refer to a Magnolia CMS vulnerability that was fixed in Magnolia CMS, and a FreeMarker kind-of-vulnerability, which was already addressed in 2.3.31. See also: https://issues.apache.org/jira/browse/FREEMARKER-205
But most importantly, see this: https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security On Mon, Mar 7, 2022 at 8:52 PM Demarcq, Arnaud <arnaud.dema...@experian.com.invalid> wrote: > Dear dev@freemarker.apache.org<mailto:dev@freemarker.apache.org>, > > We are using freemarker as our main templating engine for the various > software me and my team are maintaining. > > In order to be certain our software is secure and compliant with the > latest security standards, our code is dynamically tested with Veracode. > We're currently having the latest version of freemarker flagged as > dangerous because of this CVE: > > CVE-2021-46361< > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46361> > undefined: org.freemarker:freemarker is vulnerable to arbitrary code > execution. Remote attackers are able to inject and execute malicious > scripts on the host machine via crafted payloads to bypass security > restrictions. > > > The option we have are: > > * Waiting for a new release of freemarker that fixes this CVE > * Switching to an other templating engine (which I would like to avoid > if we can, as this would mean a breach in ascending compatibility due to > syntax in the templates). > > Can you please kindly share if this issue is being actively worked on ? If > it is, do you have a tentative date for the next release ? > > Many thanks and kind regards, > > Arnaud DEMARCQ > > -- Best regards, Daniel Dekany
