CVE-2024-41667

HIGH NUCLEI

Org.openidentityplatform.openam Openam-oauth2 - Code Injection

Title source: rule

Description

OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default OpenAM login, they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.

Nuclei Templates (1)

OpenAM<=15.0.3 FreeMarker - Template Injection

HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch

References (2)

[Patch] https://github.com/OpenIdentityPlatform/OpenAM/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23v

Scores

CVSS v3 8.8

EPSS 0.7431

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

OpenIdentityPlatform/OpenAM < 15.0.4

org.openidentityplatform.openam/openam-oauth2 0 - 15.0.4Maven

Published Jul 24, 2024

Tracked Since Feb 18, 2026