CVE-2024-37301
📋 TL;DR
CVE-2024-37301 is a server-side template injection vulnerability in Document Merge Service versions 6.5.1 and prior that allows remote code execution. When exploited, attackers can execute arbitrary code on the server, potentially leading to full system compromise if the service runs with root privileges. All users running vulnerable versions of Document Merge Service are affected.
💻 Affected Systems
- Document Merge Service
⚠️ Risk & Real-World Impact
Worst Case
Full system takeover with root privileges, allowing complete control over the affected server, data exfiltration, and lateral movement within the network.
Likely Case
Remote code execution leading to service compromise, data theft, and potential deployment of malware or persistence mechanisms.
If Mitigated
Limited impact if service runs with minimal privileges and network access is restricted, though code execution would still be possible within the service context.
🎯 Exploit Status
Server-side template injection vulnerabilities are typically easy to exploit once the injection point is identified. The advisory suggests exploitation is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6
Restart Required: Yes
Instructions:
No official patch exists. Monitor the GitHub repository for updates and apply immediately when available. Consider temporary mitigation measures in the meantime.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to Document Merge Service to only trusted sources
Use firewall rules to limit inbound connections to specific IP ranges
Service Privilege Reduction
linuxRun Document Merge Service with non-root privileges to limit impact
Create dedicated service user: sudo useradd -r -s /bin/false docmerge
Update service configuration to run as this user
🧯 If You Can't Patch
- Immediately isolate affected systems from the internet and restrict network access to minimal required connections
- Implement strict input validation and sanitization for all template data inputs
🔍 How to Verify
Check if Vulnerable:
Check the Document Merge Service version. If running version 6.5.1 or earlier, the system is vulnerable.Check Version:
Check service logs, configuration files, or use: curl -s http://localhost:8000/version (adjust port as configured)Verify Fix Applied:
When a patch becomes available, verify the version is updated beyond 6.5.1 and test template merging functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual template processing errors
- Suspicious template content containing executable code patterns
- Unexpected system command execution in service logs
Network Indicators:
- Unusual outbound connections from Document Merge Service
- Traffic patterns suggesting data exfiltration
SIEM Query:
source="document-merge-service" AND (message="*template*" OR message="*exec*" OR message="*inject*")🔗 References
- https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074
- https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6
- https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074
- https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6
