CVE-2023-1304

Name of the Vulnerable Software and Affected Versions InsightCloudSec versions prior to 23.2.1

Description An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1, 2023.

Recommendations For versions prior to 23.2.1, update to version 23.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the Jinja template and the getattr() method to minimize the risk of exploitation.