FusionAuth is an open-source access management application that can be integrated with various technologies and platforms. You can configure and customize FusionAuth in a variety of ways by managing dashboards. FusionAuth can provide identity authentication, authorization, and user management for any applications.

In FusionAuth versions earlier than 1.11, the Apache FreeMarker template engine is used and user input is not filtered. When a user edits an email template, the user can use the Apache FreeMarker template engine to call freemarker.template.utility.Execute and execute any commands in the underlying operating system.

Scope of impact: FusionAuth 1.10.1 and earlier

Rule-based defense: Cloud Firewall has created a solution to address the vulnerability through basic rules.

Rule type: command execution

Risk level: high

Security suggestions:
  • Upgrade FusionAuth.
  • Use the Intrusion Prevention feature of Cloud Firewall.