CVE-2024-45053

Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-04 16:15

Updated : 2024-09-06 18:20


NVD link : CVE-2024-45053

Mitre link : CVE-2024-45053

CVE.ORG link : CVE-2024-45053


JSON object : View

Products Affected

ethyca

  • fides
CWE
CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

CWE-94

Improper Control of Generation of Code ('Code Injection')