CVE-2024-45053

Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5	Patch
https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-04 16:15

Updated : 2024-09-06 18:20

NVD link : CVE-2024-45053

Mitre link : CVE-2024-45053

CVE.ORG link : CVE-2024-45053

JSON object : View

Products Affected

ethyca

fides

CWE

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2024-45053", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2024-09-04T16:15:07.910", "references": [{"url": "https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1336"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."}, {"lang": "es", "value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto. A partir de la versi\u00f3n 2.19.0 y antes de la versi\u00f3n 2.44.0, la funci\u00f3n de creaci\u00f3n de plantillas de correo electr\u00f3nico utiliza Jinja2 sin la desinfecci\u00f3n de entrada adecuada ni restricciones del entorno de renderizado, lo que permite la inyecci\u00f3n de plantillas del lado del servidor que otorga la ejecuci\u00f3n remota de c\u00f3digo a usuarios privilegiados. Un usuario privilegiado se refiere a un usuario de la interfaz de usuario de administraci\u00f3n con el rol predeterminado de \"Propietario\" o \"Colaborador\", que puede escalar su acceso y ejecutar c\u00f3digo en el contenedor del servidor web de Fides subyacente donde se ejecuta la funci\u00f3n de renderizado de plantillas de Jinja. La vulnerabilidad se ha corregido en la versi\u00f3n \"2.44.0\" de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o una posterior para proteger sus sistemas contra esta amenaza. No hay workarounds."}], "lastModified": "2024-09-06T18:20:35.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58150E65-FD62-47CA-ACD7-2F8876F131EF", "versionEndExcluding": "2.44.0", "versionStartIncluding": "2.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}