CVE-2024-37301
Published: 11 June 2024
Summary
CVE-2024-37301 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Document Merge Service, a document template merge service that exposes an API for managing templates and performing merges, is affected by a server-side template injection vulnerability in versions 6.5.1 and earlier. The flaw, tracked as CVE-2024-37301 and assigned CWE-1336, permits remote code execution; when the service runs as root this can yield complete control of the underlying system. The issue carries a CVSS 3.1 base score of 7.2.
An attacker must possess high privileges on the service (PR:H) to supply a malicious template through the management API. Successful exploitation results in arbitrary code execution on the server, enabling full system takeover without any user interaction or additional network-adjacent access.
Public advisories and the referenced GitHub security notice state that, at the time of disclosure, no patched release existed and no workarounds had been identified. The EPSS score remains low, with a current value of 0.0560 and a peak of 0.0780.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2170
Vulnerability details
Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root,…
more
can result in full takeover of the affected system. As of time of publication, no patched version exists, nor have any known workarounds been disclosed.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.