CVE-2024-37301 is a vulnerability classified under CWE-1336, indicating improper neutralization of special elements used in a template engine within the adfinis document-merge-service. This service provides an API for managing document templates and merging them with data. Versions 6.5.1 and earlier are affected. The root cause is a server-side template injection (SSTI) flaw that allows an attacker to inject and execute arbitrary code on the server by manipulating template inputs. When the service runs with root privileges, successful exploitation can lead to complete system compromise, including unauthorized access, data exfiltration, and persistent control over the host. The vulnerability is remotely exploitable over the network without user interaction but requires the attacker to have high privileges, possibly through prior access or misconfigurations. No patches or official workarounds are available at the time of disclosure, increasing the urgency for defensive measures. The CVSS v3.1 score is 7.2, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity but requiring elevated privileges. This vulnerability poses a significant risk to environments relying on document-merge-service for automated document generation and processing.

For European organizations, the impact of CVE-2024-37301 can be severe. The ability to execute arbitrary code remotely with root privileges can lead to full system compromise, data breaches, and disruption of critical document processing workflows. Organizations in sectors such as finance, healthcare, government, and legal services that depend on automated document generation are particularly vulnerable. Compromise could result in exposure of sensitive personal and corporate data, regulatory non-compliance (e.g., GDPR violations), and operational downtime. The lack of available patches or mitigations increases the risk window, potentially inviting targeted attacks or exploitation by opportunistic threat actors. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within networks, escalating the threat to broader IT infrastructure.

Until an official patch is released, European organizations should implement the following mitigations: 1) Run the document-merge-service with the least privileges possible, avoiding root or administrative accounts. 2) Isolate the service in a restricted network segment or container to limit exposure and lateral movement. 3) Employ strict input validation and sanitization on data fed into templates, if possible, to reduce injection risk. 4) Monitor logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected template processing or command execution. 5) Restrict API access to trusted users and systems using strong authentication and network controls. 6) Prepare incident response plans specific to this vulnerability, including rapid containment and forensic analysis. 7) Stay alert for vendor updates or community patches and apply them promptly once available.