CVE-2023-45672 - Vulnerability Details

Vendors	Products
Frigate	Frigate

Link	Providers
https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/config.py#L1244-L1244
https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/http.py#L998-L998
https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/util/builtin.py#L110-L110
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428
https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-45672", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-10T14:36:40.861Z", "datePublished": "2023-10-30T22:49:45.755Z", "dateUpdated": "2024-08-02T20:21:16.830Z"}, "containers": {"cna": {"title": "Frigate unsafe deserialization in `load_config_with_no_duplicates` of `frigate/util/builtin.py`", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428"}, {"name": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/config.py#L1244-L1244", "tags": ["x_refsource_MISC"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/config.py#L1244-L1244"}, {"name": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/http.py#L998-L998", "tags": ["x_refsource_MISC"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/http.py#L998-L998"}, {"name": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/util/builtin.py#L110-L110", "tags": ["x_refsource_MISC"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/util/builtin.py#L110-L110"}, {"name": "https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/"}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"version": "< 0.13.0-beta3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-13T19:40:37.540Z"}, "descriptions": [{"lang": "en", "value": "Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, an unsafe deserialization vulnerability was identified in the endpoints used to save configurations for Frigate. This can lead to unauthenticated remote code execution. This can be performed through the UI at `/config` or through a direct call to `/api/config/save`. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. Input is initially accepted through `http.py`. The user-provided input is then parsed and loaded by `load_config_with_no_duplicates`. However, `load_config_with_no_duplicates` does not sanitize this input by merit of using `yaml.loader.Loader` which can instantiate custom constructors. A provided payload will be executed directly at `frigate/util/builtin.py:110`. This issue may lead to pre-authenticated Remote Code Execution. Version 0.13.0 Beta 3 contains a patch."}], "source": {"advisory": "GHSA-qp3h-4q62-p428", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:21:16.830Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428"}, {"name": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/config.py#L1244-L1244", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/config.py#L1244-L1244"}, {"name": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/http.py#L998-L998", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/http.py#L998-L998"}, {"name": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/util/builtin.py#L110-L110", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/util/builtin.py#L110-L110"}, {"name": "https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4732404-ED83-4426-AAA2-7BA34EDDD6BD", "versionEndIncluding": "0.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:frigate:frigate:0.13.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "C166CCC4-B65F-467C-B9C7-716181142D21", "vulnerable": true}, {"criteria": "cpe:2.3:a:frigate:frigate:0.13.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "950A7EE4-7B30-482E-824D-81BD4DC707F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, an unsafe deserialization vulnerability was identified in the endpoints used to save configurations for Frigate. This can lead to unauthenticated remote code execution. This can be performed through the UI at `/config` or through a direct call to `/api/config/save`. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. Input is initially accepted through `http.py`. The user-provided input is then parsed and loaded by `load_config_with_no_duplicates`. However, `load_config_with_no_duplicates` does not sanitize this input by merit of using `yaml.loader.Loader` which can instantiate custom constructors. A provided payload will be executed directly at `frigate/util/builtin.py:110`. This issue may lead to pre-authenticated Remote Code Execution. Version 0.13.0 Beta 3 contains a patch."}, {"lang": "es", "value": "Frigate es una grabadora de v\u00eddeo en red de c\u00f3digo abierto. Antes de la versi\u00f3n 0.13.0 Beta 3, se identific\u00f3 una vulnerabilidad de deserializaci\u00f3n insegura en los endpoints utilizados para guardar configuraciones para Frigate. Esto puede provocar la ejecuci\u00f3n remota de c\u00f3digo no autenticado. Esto se puede realizar a trav\u00e9s de la interfaz de usuario en `/config` o mediante una llamada directa a `/api/config/save`. Explotar esta vulnerabilidad requiere que el atacante conozca informaci\u00f3n muy espec\u00edfica sobre el servidor Frigate de un usuario y requiere que se enga\u00f1e a un usuario autenticado para que haga clic en un enlace especialmente manipulado a su instancia de Frigate. Esta vulnerabilidad podr\u00eda ser aprovechada por un atacante en las siguientes circunstancias: Fragata expuesta p\u00fablicamente a Internet (incluso con autenticaci\u00f3n); el atacante conoce la direcci\u00f3n de la instancia de Frigate de un usuario; el atacante crea una p\u00e1gina especializada que enlaza con la instancia de Frigate del usuario; El atacante encuentra una manera de lograr que un usuario autenticado visite su p\u00e1gina especializada y haga clic en el bot\u00f3n/enlace. La entrada se acepta inicialmente a trav\u00e9s de `http.py`. Luego, la entrada proporcionada por el usuario se analiza y carga mediante `load_config_with_no_duplicates`. Sin embargo, `load_config_with_no_duplicates` no sanitiza esta entrada por el m\u00e9rito de usar `yaml.loader.Loader`, que puede crear instancias de constructores personalizados. Un payload proporcionado se ejecutar\u00e1 directamente en `frigate/util/builtin.py:110`. Este problema puede provocar una ejecuci\u00f3n remota de c\u00f3digo previamente autenticada. La versi\u00f3n 0.13.0 Beta 3 contiene un parche."}], "id": "CVE-2023-45672", "lastModified": "2024-11-21T08:27:11.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-10-30T23:15:08.697", "references": [{"source": "[email protected]", "tags": ["Product"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/config.py#L1244-L1244"}, {"source": "[email protected]", "tags": ["Product"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/http.py#L998-L998"}, {"source": "[email protected]", "tags": ["Product"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/util/builtin.py#L110-L110"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428"}, {"source": "[email protected]", "url": "https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/config.py#L1244-L1244"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/http.py#L998-L998"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/util/builtin.py#L110-L110"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "[email protected]", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object