{"id":"CVE-2024-41667","summary":"OpenAM FreeMarker template injection","details":"OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default OpenAM login, they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.","aliases":["GHSA-7726-43hg-m23v"],"modified":"2026-04-12T10:34:55.638312Z","published":"2024-07-24T17:29:58.564Z","database_specific":{"cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41667.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41667.json"},{"type":"ADVISORY","url":"https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41667"},{"type":"FIX","url":"https://github.com/OpenIdentityPlatform/OpenAM/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openidentityplatform/openam","events":[{"introduced":"0"},{"fixed":"fcb8432aa77d5b2e147624fe954cb150c568e0b8"}]},{"type":"GIT","repo":"https://github.com/openidentityplatform/openam","events":[{"introduced":"0"},{"fixed":"fcb8432aa77d5b2e147624fe954cb150c568e0b8"}]}],"versions":["13.0.0","13.0.0-RC1","13.0.0-RC10","13.0.0-RC2","13.0.0-RC3","13.0.0-RC4","13.0.0-RC5","13.0.0-RC6","13.0.0-RC7","13.0.0-RC8","13.0.0-RC9","14.0.0","14.0.1","14.0.2","14.0.3","14.0.4","14.0.5","14.0.6","14.1.1","14.1.10","14.1.11","14.1.12","14.1.13","14.1.16","14.1.17","14.1.2","14.1.3","14.1.4","14.1.5","14.1.6","14.1.7","14.1.8","14.1.9","14.2.1","14.2.2","14.3.1","14.4.1","14.4.2","14.5.1","14.5.2","14.5.3","14.5.4","14.6.2","14.6.3","14.6.4","14.6.5","14.6.6","14.7.0","14.7.1","14.7.2","14.7.3","14.7.4","14.8.1","14.8.2","14.8.3","14.8.4","15.0.0","15.0.1","15.0.2","15.0.3"],"database_specific":{"vanir_signatures":[{"id":"CVE-2024-41667-a76c1313","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["167698212189320102038468670185122101581","333217084580081520750114882302192870345","242758765263507245961221675209617516736","171377883921873264354728339288855473247","74593089722625635972695191787643013661","114113819380802561494735672030476449860","79264975116197953456442546488561128708","209771306938004656813357798919321896981"]},"signature_type":"Line","target":{"file":"openam-oauth2/src/main/java/org/forgerock/oauth2/core/RealmOAuth2ProviderSettings.java"},"deprecated":false,"source":"https://github.com/openidentityplatform/openam/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8"},{"id":"CVE-2024-41667-f527e129","signature_version":"v1","digest":{"function_hash":"198436883434807415942435240683823775367","length":452},"signature_type":"Function","target":{"function":"getCustomLoginUrlTemplate","file":"openam-oauth2/src/main/java/org/forgerock/oauth2/core/RealmOAuth2ProviderSettings.java"},"deprecated":false,"source":"https://github.com/openidentityplatform/openam/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8"}],"vanir_signatures_modified":"2026-04-12T10:34:55Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41667.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}