Grmpyninja

**Name of the Vulnerable Software and Affected Versions** Incus versions prior to 6.23.0 **Description** Incus, a system container and virtual machine manager, allows instance template files to be used to perform arbitrary read and write operations as root on the host server. The software utilizes pongo2 templates within instances, intended for templating files inside the instance. The pongo2 chroot isolation mechanism, designed to restrict file access to the instance's filesystem, is bypassed, granting access to the entire system's filesystem with root privileges. This issue impacts system security and could lead to data exposure or system manipulation. **Recommendations** Update Incus to version 6.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** Incus versions prior to 6.23.0 **Description** Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server initiated by `incus webui` does not properly validate authentication tokens, accepting invalid values. `incus webui` operates a local web server on a random localhost port, providing a URL with an authentication token for access. Upon access, Incus creates a cookie to persist the token, eliminating the need to include it in subsequent HTTP requests. While the Incus client correctly validates the cookie, it fails to validate the token when passed in the URL. This allows an attacker who can access the temporary web server on localhost to gain the same level of access as the user who launched `incus webui`, potentially leading to privilege escalation by another local user or access to the user's Incus instances and system resources by a remote attacker who can trick the local user into interacting with the Incus UI web server. **Recommendations** Update to Incus version 6.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** Incus versions prior to 6.23.0 **Description** Incus is a system container and virtual machine manager. Incus instances allow providing credentials to systemd within the guest environment, managed through a shared directory for containers. Prior to version 6.23.0, an attacker could manipulate a configuration key, such as `systemd.credential.../../../../../../root/.bashrc`, to induce Incus to write files outside the designated `credentials` directory. This is possible because the Incus syntax for credentials, `systemd.credential.XYZ`, permits multiple periods within the `XYZ` component. While reading data is not possible through this method, writing to arbitrary files as root is achievable, potentially leading to privilege escalation and denial of service attacks. The vulnerability leverages the ability to traverse directory structures using specially crafted credential names. **Recommendations** Versions prior to 6.23.0 should be updated to version 6.23.0 or later.

**Nome do software vulnerável e versões afetadas** Versões do Fides 2.19.0 a 2.43.x **Descrição** O recurso de modelos de e-mail do Fides utiliza o Jinja2 sem a devida sanitização de entradas ou restrições no ambiente de renderização, permitindo a injeção de modelos no lado do servidor (Server-Side Template Injection), o que possibilita a execução remota de código por usuários privilegiados. Um usuário privilegiado refere-se a um usuário da interface de usuário administrativa com a função padrão `Owner` ou `Contributor`, que pode escalar seu acesso e executar código no contêiner do servidor web Fides subjacente, onde a função de renderização de modelos Jinja é executada. A vulnerabilidade permite que um invasor com privilégios suficientes execute código arbitrário remotamente e escale seus privilégios para os de um usuário no contêiner do servidor web Fides, concedendo controle sobre o aplicativo do servidor web Fides e acesso não autorizado a recursos integrados. **Recomendações** Para as versões 2.19.0 a 2.43.x do Fides, atualize para a versão 2.44.0 ou posterior para proteger seu sistema contra essa ameaça. Como solução alternativa temporária, considere restringir o acesso ao recurso de Modelos de E-mail para usuários não privilegiados até que um patch seja aplicado. Restrinja o acesso ao endpoint da API `PUT /api/v1/messaging/templates/` para minimizar o risco de exploração. Evite usar o escopo `messaging-template:update` para clientes OAuth até que o problema seja resolvido. No momento, não há outras informações sobre soluções alternativas adicionais.

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.22.1 **Description** The Fides web application is vulnerable to a Server-Side Request Forgery (SSRF) attack. This occurs when a malicious user uploads a specially crafted YAML dataset and config file as a ZIP file, allowing them to perform arbitrary requests to internal systems and exfiltrate data outside the environment. The application fails to properly validate attempts to connect to internal resources, including localhost. Exploitation of this issue is limited to API clients with the `CONNECTOR TEMPLATE REGISTER` authorization scope, which is typically restricted to highly privileged users, such as root users and users with the owner role. **Recommendations** For versions prior to 2.22.1, upgrade to version 2.22.1 or later to secure your system against this threat. As a temporary workaround, consider restricting access to the `CONNECTOR TEMPLATE REGISTER` authorization scope to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fides versions 2.11.0 through 2.19.0 **Description** The Fides webserver API allows custom integrations to be uploaded as a ZIP file, which can contain YAML files and custom Python code. The custom code is executed in a restricted environment, but this sandbox can be bypassed to execute arbitrary code. This allows the execution of arbitrary code on the target system within the context of the webserver python process owner, which is `root` by default, and can be used to attack underlying infrastructure and integrated systems. Exploitation is limited to API clients with the `CONNECTOR TEMPLATE REGISTER` authorization scope, which is restricted to highly privileged users. The vulnerability can only be exploited if the security configuration parameter `allow custom connector functions` is enabled. **Recommendations** For Fides versions 2.11.0 through 2.18.0, upgrade to version 2.19.0 or later to secure the system against this threat. For users unable to upgrade, ensure that `allow custom connector functions` in `fides.toml` and the `FIDES SECURITY ALLOW CUSTOM CONNECTOR FUNCTIONS` environment variable are both either unset or explicitly set to `False`.