CVE-2024-45053: Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
(updated )
The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default Owner
or Contributor
role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed.
References
Detect and mitigate CVE-2024-45053 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →