CVE-2023-41319

CVSS 3.1 Score 7.2 of 10 (high)

Details

Published Sep 6, 2023
Updated: Sep 13, 2023
CWE ID 94
CWE ID 693

Summary

CVE-2023-41319 is a vulnerability affecting versions 2.11.0 through 2.19.0 of the Fides open-source privacy engineering platform. The issue stems from the platform's webserver API, which allows the upload of custom integrations as ZIP files containing YAML and Python code. While the Python code is executed in a restricted environment, the sandbox can be bypassed, enabling attackers to run arbitrary code. This vulnerability can grant `root` access on the webserver container, potentially leading to attacks on underlying infrastructure and integrated systems. The exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope, which is only accessible to highly privileged users. To mitigate this risk, users are advised to upgrade to Fides version 2.19.0 or later. Alternatively, they should ensure that the `allow_custom_connector_functions` configuration parameter is disabled in `fides.toml` or by setting the env var to `False`.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2023-41319 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions