CVE-2023-41319

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox can be bypassed to execute any arbitrary code. The vulnerability allows the execution of arbitrary code on the target system within the context of the webserver python process owner on the webserver container, which by default is `root`, and leverage that access to attack underlying infrastructure and integrated systems. This vulnerability affects Fides versions `2.11.0` through `2.19.0`. Exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope. In the Fides Admin UI this scope is restricted to highly privileged users, specifically root users and users with the owner role. Exploitation is only possible if the security configuration parameter `allow_custom_connector_functions` is enabled by the user deploying the Fides webserver container, either in `fides.toml` or by setting the env var `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. By default this configuration parameter is disabled. The vulnerability has been patched in Fides version `2.19.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. Users unable to upgrade should ensure that `allow_custom_connector_functions` in `fides.toml` and the `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` are both either unset or explicit set to `False`.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a	Patch
https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h	Mitigation Third Party Advisory
https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a	Patch
https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:21

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-06 18:15

Updated : 2024-11-21 08:21

NVD link : CVE-2023-41319

Mitre link : CVE-2023-41319

CVE.ORG link : CVE-2023-41319

JSON object : View

Products Affected

ethyca

fides

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-693

Protection Mechanism Failure

{"id": "CVE-2023-41319", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2023-09-06T18:15:08.937", "references": [{"url": "https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ethyca/fides/commit/5989b5fa744c8d8c340963b895a054883549358a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ethyca/fides/security/advisories/GHSA-p6p2-qq95-vq5h", "tags": ["Mitigation", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-693"}]}], "descriptions": [{"lang": "en", "value": "Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox can be bypassed to execute any arbitrary code. The vulnerability allows the execution of arbitrary code on the target system within the context of the webserver python process owner on the webserver container, which by default is `root`, and leverage that access to attack underlying infrastructure and integrated systems. This vulnerability affects Fides versions `2.11.0` through `2.19.0`. Exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope. In the Fides Admin UI this scope is restricted to highly privileged users, specifically root users and users with the owner role. Exploitation is only possible if the security configuration parameter `allow_custom_connector_functions` is enabled by the user deploying the Fides webserver container, either in `fides.toml` or by setting the env var `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. By default this configuration parameter is disabled. The vulnerability has been patched in Fides version `2.19.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. Users unable to upgrade should ensure that `allow_custom_connector_functions` in `fides.toml` and the `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` are both either unset or explicit set to `False`."}, {"lang": "es", "value": "Fides es una plataforma de ingenier\u00eda de privacidad de c\u00f3digo abierto para gestionar el cumplimiento de solicitudes de privacidad de datos en un entorno de ejecuci\u00f3n y la aplicaci\u00f3n de regulaciones de privacidad en c\u00f3digo. La API del servidor web de Fides permite cargar integraciones personalizadas como un archivo ZIP. Este archivo ZIP debe contener archivos YAML, pero Fides se puede configurar para que tambi\u00e9n acepte la inclusi\u00f3n de c\u00f3digo Python personalizado. El c\u00f3digo personalizado se ejecuta en un entorno restringido y aislado, pero el entorno aislado se puede omitir para ejecutar cualquier c\u00f3digo arbitrario. La vulnerabilidad permite la ejecuci\u00f3n de c\u00f3digo arbitrario en el sistema de destino dentro del contexto del propietario del proceso Python del servidor web en el contenedor del servidor web, que de forma predeterminada es \"root\", y aprovecha ese acceso para atacar la infraestructura subyacente y los sistemas integrados. Esta vulnerabilidad afecta a las versiones de Fides `2.11.0` hasta la `2.19.0`. La explotaci\u00f3n est\u00e1 limitada a clientes API con el alcance de autorizaci\u00f3n `CONNECTOR_TEMPLATE_REGISTER`. En la interfaz de usuario de administraci\u00f3n de Fides, este alcance est\u00e1 restringido a usuarios con privilegios elevados, espec\u00edficamente usuarios root y usuarios con rol de propietario. La explotaci\u00f3n solo es posible si el par\u00e1metro de configuraci\u00f3n de seguridad `allow_custom_connector_functions` est\u00e1 habilitado por el usuario que implementa el contenedor del servidor web Fides, ya sea en `fides.toml` o estableciendo la variable env `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True`. Por defecto este par\u00e1metro de configuraci\u00f3n est\u00e1 deshabilitado. La vulnerabilidad ha sido parcheada en la versi\u00f3n `2.19.0` de Fides. Se recomienda a los usuarios que actualicen a esta versi\u00f3n o posterior para proteger sus sistemas contra esta amenaza. Los usuarios que no puedan actualizar deben asegurarse de que `allow_custom_connector_functions` en `fides.toml` y `FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS` no est\u00e9n configurados o est\u00e9n configurados expl\u00edcitamente en `False`."}], "lastModified": "2024-11-21T08:21:03.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7987098A-C17F-4C91-9406-7B5BAD1786DD", "versionEndExcluding": "2.19.0", "versionStartIncluding": "2.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

8.8 /10