July 15, 2020

GHSL-2020-039: Server-side template injection in Alfresco - CVE-2020-12873

Alvaro Muñoz

Summary

A user with privileges to edit a FreeMarker template (e.g. a webscript) may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Alfresco.

Product

Alfresco Community

Tested Version

Alfresco Community 6.2.0-GA (Released: 28 Nov, 2019)

Details

Even though Alfresco does a good job limiting what objects are available to FreeMarker templates, it is still possible to find objects which can be used to bypass the FreeMarker sandbox. Deep inspection of the exposed objects' object graph allows an attacker to get access to objects that allow them to instantiate arbitrary Java objects.

Impact

This issue may lead to Remote Code Execution.

CVE

CVE-2020-12873

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 03/23/2020: Email sent to allreplies@alfresco.com to get security contact
  • 03/23/2020: Created Jira issue asking for security contact
  • 04/15/2020: Got an answser from allreplies@alfresco.com asking to report the issue to security@alfresco.com
  • 04/15/2020: Report sent to security@alfresco.com
  • 05/13/2020: Issue is fixed

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Munoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-039 in any communication regarding this issue.