CVE-2024-45053
published 2024-09-04CVE-2024-45053: Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without…
PriorityP347high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.34%
67.8th percentile
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethyca | fides | — | — |
| ethyca | fides | >= 2.19.0 < 2.44.0 | 2.44.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
ghsa·2024-09-04
CVE-2024-45053 [HIGH] CWE-1336 Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
### Summary
The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed.
### Details
The application enables the creation of message templates that are sent via email to Fides Privacy Center users (data subjects) who raise privacy requests such as data subject access requests or consent management requests via
OSV
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
osv·2024-09-04
CVE-2024-45053 [HIGH] Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
### Summary
The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed.
### Details
The application enables the creation of message templates that are sent via email to Fides Privacy Center users (data subjects) who raise privacy requests such as data subject access requests or consent management requests via
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-04
Published