CVE-2023-41319
CVSS 3.1 Score 7.2 of 10 (high)
Details
Summary
CVE-2023-41319 is a vulnerability affecting versions 2.11.0 through 2.19.0 of the Fides open-source privacy engineering platform. The issue stems from the platform's webserver API, which allows the upload of custom integrations as ZIP files containing YAML and Python code. While the Python code is executed in a restricted environment, the sandbox can be bypassed, enabling attackers to run arbitrary code. This vulnerability can grant `root` access on the webserver container, potentially leading to attacks on underlying infrastructure and integrated systems. The exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope, which is only accessible to highly privileged users. To mitigate this risk, users are advised to upgrade to Fides version 2.19.0 or later. Alternatively, they should ensure that the `allow_custom_connector_functions` configuration parameter is disabled in `fides.toml` or by setting the env var to `False`.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Ethyca Fides
Affected Vendors
- Ethyca
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions