CVE-2024-45053: Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine

September 4, 2024 (updated November 18, 2024)

The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default Owner or Contributor role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed.

References

github.com/advisories/GHSA-c34r-238x-f7qx
github.com/ethyca/fides
github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5
github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx
nvd.nist.gov/vuln/detail/CVE-2024-45053

Code Behaviors & Features

Detect and mitigate CVE-2024-45053 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →