Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
References
Link | Resource |
---|---|
https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5 | Patch |
https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx | Exploit Vendor Advisory |
Configurations
History
06 Sep 2024, 18:20
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:* | |
References | () https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5 - Patch | |
References | () https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx - Exploit, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
First Time |
Ethyca fides
Ethyca |
|
CWE | CWE-94 |
05 Sep 2024, 12:53
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
04 Sep 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-04 16:15
Updated : 2024-09-06 18:20
NVD link : CVE-2024-45053
Mitre link : CVE-2024-45053
CVE.ORG link : CVE-2024-45053
JSON object : View
Products Affected
ethyca
- fides