CVE-2024-45053: Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine

September 4, 2024

The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default Owner or Contributor role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed.

References

github.com/advisories/GHSA-c34r-238x-f7qx
github.com/ethyca/fides
github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx
nvd.nist.gov/vuln/detail/CVE-2024-45053

Detect and mitigate CVE-2024-45053 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →