Mon. Apr 6th, 2020

CVE-2020-7799: FusionAuth Command Execution Vulnerability Alert

1 min read

Recently, fusionauth issued a CVE-2020-7799 vulnerability warning, with a high vulnerability level.
A problem was found in FusionAuth versions prior to 1.11.0. “An authenticated user, allowed to edit e-mail templates (Home -> Settings -> Email Templates) or themes (Home -> Settings -> Themes), can execute commands on the underlying operating system by abusing freemarker.template.utility.Execute in the Apache FreeMarker engine that processes custom templates.”

We judge that the vulnerability level is high and the harm/impact is large. It is recommended that users using FusionAuth install the latest patches in time to avoid hacking.

Affected Version

  • Apache FusionAuth: <= 1.10

Solution

  • Users are advised to upgrade to the latest version of FusionAuth.