CVE-2023-41319

CVSS 3.1 Score 7.2 of 10 (high)

Details

Published Sep 6, 2023
Updated: Sep 13, 2023
CWE ID 94
CWE ID 693

Summary

CVE-2023-41319 is a vulnerability affecting versions 2.11.0 through 2.19.0 of the Fides open-source privacy engineering platform. The issue stems from the platform's webserver API, which allows the upload of custom integrations as ZIP files containing YAML and Python code. While the Python code is executed in a restricted environment, the sandbox can be bypassed, enabling attackers to run arbitrary code. This vulnerability can grant `root` access on the webserver container, potentially leading to attacks on underlying infrastructure and integrated systems. The exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope, which is only accessible to highly privileged users. To mitigate this risk, users are advised to upgrade to Fides version 2.19.0 or later. Alternatively, they should ensure that the `allow_custom_connector_functions` configuration parameter is disabled in `fides.toml` or by setting the env var to `False`.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share