CVE-2024-37301

Name of the Vulnerable Software and Affected Versions Document Merge Service versions 6.5.1 and prior

Description The issue allows for remote code execution via server-side template injection, which can result in full takeover of the affected system when executed as root. This gives an attacker considerable control over the container, executed as the document-merge-server user with the UID 901.

Recommendations For versions 6.5.1 and prior, update to version 6.5.2 to resolve the issue. As a temporary workaround, consider restricting access to the template merge API to minimize the risk of exploitation. Avoid using the PLACEHOLDER. class . mro [1]. subclasses () variable in templates until the issue is resolved.