jdbi3-freemarker Vulnerable to Improper Neutralization of Special Elements Used in FreeMarker Template Engine
Description An Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Jdbi allows arbitrary command execution when an application using jdbi3-freemarker permits attacker-influenced text to reach FreemarkerEngine.parse() as template source. This affects org.jdbi:jdbi3-freemarker through version 3.52.1. The developer opts into FreeMarker-backed SQL templating, but does not explicitly opt into reflective Java class loading from template source. Jdbi’s FreeMarker integration should not expose unrestricted Java class instantiation …