Skip to content

CVE-2023-49964: FreeMarker Server-Side Template Injection in Alfresco

Notifications You must be signed in to change notification settings

mbadanoiu/CVE-2023-49964

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 

Repository files navigation

CVE-2023-49964: FreeMarker Server-Side Template Injection in Alfresco

An issue was discovered in Hyland Alfresco Community Edition <=7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution).

Note: This issue exists because of an incomplete fix for CVE-2020-12873.

NVD Disclosure:

The disclosure for this vulnerability can be found here.

Requirements:

This vulnerability requires:

  • Valid user credentials

Proof Of Concept:

More details and the exploitation process can be found in this PDF.

Additional Resources:

Initial vulnerability (CVE-2020-12873) and blogpost by Alvaro "pwntester" Munoz that inspired the SSTI research and finding of this vulnerability.

SSTI Case study: Alfresco by PortSwigger Research

The SSTI gadget used to escape the FreeMarker sandbox was inspired from this article by Vincent Herbulot of Synacktiv

Timeline:

  • This vulnerability was initially reported to security@alfresco.com on 22-Feb-2022
  • Hyland reached out and the report was resubmitted to appsecurity@Hyland.com on 07-Apr-2022
  • Retested the vulnerability on 19-Jan-2023 and noticed that the vulnerability was fixed and the vendor decided to silently patch it (no advisory, no CVE, no communication)
  • Publically disclosed the vulnerability on 09-Dec-2023