Cyber Resilience

CVE-2024-41667

HighRCE

Published: 24 July 2024

Published
24 July 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7431 98.9th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41667 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

OpenAM, an open-source access management platform, is affected by a server-side template injection vulnerability in versions 15.0.3 and earlier. The flaw resides in the getCustomLoginUrlTemplate method of RealmOAuth2ProviderSettings.java, which processes unsanitized user-controlled input when constructing custom login URLs via the FreeMarker templating engine. The original design allowed the CustomLoginUrlTemplate setting to be configured without restrictions, enabling injection of arbitrary template directives.

An authenticated attacker with low privileges can supply a malicious template through the OAuth2 provider settings, leading to remote code execution. Successful exploitation grants full control over confidentiality, integrity, and availability on the affected server, consistent with the CVSS 8.8 rating reflecting network-accessible attack vectors requiring no user interaction.

The project addressed the issue in commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 by enforcing TemplateClassResolver.SAFER_RESOLVER, which blocks resolution of commonly abused classes during template processing. This mitigation is scheduled for inclusion in the upcoming 15.0.4 release, and administrators are advised to upgrade once available or restrict template configuration through access controls in the interim. The associated EPSS score has remained stable at 0.7431 with no indicated post-disclosure increase.

EU & UK References

Vulnerability details

OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling…

more

login to override the default OpenAM login, they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References