Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
Metrics
Affected Vendors & Products
References
History
Fri, 06 Sep 2024 18:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-94 |
Wed, 04 Sep 2024 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Ethyca
Ethyca fides |
|
CPEs | cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:* | |
Vendors & Products |
Ethyca
Ethyca fides |
|
Metrics |
ssvc
|
Wed, 04 Sep 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds. | |
Title | Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine | |
Weaknesses | CWE-1336 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-04T16:04:03.741Z
Updated: 2024-09-04T18:02:37.351Z
Reserved: 2024-08-21T17:53:51.332Z
Link: CVE-2024-45053
Vulnrichment
Updated: 2024-09-04T18:02:32.279Z
NVD
Status : Analyzed
Published: 2024-09-04T16:15:07.910
Modified: 2024-09-06T18:20:35.430
Link: CVE-2024-45053
Redhat
No data.