Grmpyninja

**Name of the Vulnerable Software and Affected Versions** Incus versions prior to 6.23.0 **Description** Incus, a system container and virtual machine manager, allows instance template files to be used to perform arbitrary read and write operations as root on the host server. The software utilizes pongo2 templates within instances, intended for templating files inside the instance. The pongo2 chroot isolation mechanism, designed to restrict file access to the instance's filesystem, is bypassed, granting access to the entire system's filesystem with root privileges. This issue impacts system security and could lead to data exposure or system manipulation. **Recommendations** Update Incus to version 6.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** Incus versions prior to 6.23.0 **Description** Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server initiated by `incus webui` does not properly validate authentication tokens, accepting invalid values. `incus webui` operates a local web server on a random localhost port, providing a URL with an authentication token for access. Upon access, Incus creates a cookie to persist the token, eliminating the need to include it in subsequent HTTP requests. While the Incus client correctly validates the cookie, it fails to validate the token when passed in the URL. This allows an attacker who can access the temporary web server on localhost to gain the same level of access as the user who launched `incus webui`, potentially leading to privilege escalation by another local user or access to the user's Incus instances and system resources by a remote attacker who can trick the local user into interacting with the Incus UI web server. **Recommendations** Update to Incus version 6.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** Incus versions prior to 6.23.0 **Description** Incus is a system container and virtual machine manager. Incus instances allow providing credentials to systemd within the guest environment, managed through a shared directory for containers. Prior to version 6.23.0, an attacker could manipulate a configuration key, such as `systemd.credential.../../../../../../root/.bashrc`, to induce Incus to write files outside the designated `credentials` directory. This is possible because the Incus syntax for credentials, `systemd.credential.XYZ`, permits multiple periods within the `XYZ` component. While reading data is not possible through this method, writing to arbitrary files as root is achievable, potentially leading to privilege escalation and denial of service attacks. The vulnerability leverages the ability to traverse directory structures using specially crafted credential names. **Recommendations** Versions prior to 6.23.0 should be updated to version 6.23.0 or later.

**Name of the Vulnerable Software and Affected Versions** Fides versions 2.19.0 through 2.43.x **Description** The Email Templating feature in Fides uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability allows an attacker with sufficient privileges to execute arbitrary code remotely and escalate their privileges to those of a user on the Fides Webserver container, granting control of the Fides Webserver application and unauthorized access to integrated resources. **Recommendations** For Fides versions 2.19.0 through 2.43.x, upgrade to version 2.44.0 or later to secure your system against this threat. As a temporary workaround, consider restricting access to the Email Templating feature for non-privileged users until a patch is applied. Restrict access to the `PUT /api/v1/messaging/templates/` API endpoint to minimize the risk of exploitation. Avoid using the `messaging-template:update` scope for OAuth clients until the issue is resolved. At the moment, there is no other information about additional workarounds.

**Name of the Vulnerable Software and Affected Versions** Fides versions prior to 2.22.1 **Description** The Fides web application is vulnerable to a Server-Side Request Forgery (SSRF) attack. This occurs when a malicious user uploads a specially crafted YAML dataset and config file as a ZIP file, allowing them to perform arbitrary requests to internal systems and exfiltrate data outside the environment. The application fails to properly validate attempts to connect to internal resources, including localhost. Exploitation of this issue is limited to API clients with the `CONNECTOR TEMPLATE REGISTER` authorization scope, which is typically restricted to highly privileged users, such as root users and users with the owner role. **Recommendations** For versions prior to 2.22.1, upgrade to version 2.22.1 or later to secure your system against this threat. As a temporary workaround, consider restricting access to the `CONNECTOR TEMPLATE REGISTER` authorization scope to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fides versions 2.11.0 through 2.19.0 **Description** The Fides webserver API allows custom integrations to be uploaded as a ZIP file, which can contain YAML files and custom Python code. The custom code is executed in a restricted environment, but this sandbox can be bypassed to execute arbitrary code. This allows the execution of arbitrary code on the target system within the context of the webserver python process owner, which is `root` by default, and can be used to attack underlying infrastructure and integrated systems. Exploitation is limited to API clients with the `CONNECTOR TEMPLATE REGISTER` authorization scope, which is restricted to highly privileged users. The vulnerability can only be exploited if the security configuration parameter `allow custom connector functions` is enabled. **Recommendations** For Fides versions 2.11.0 through 2.18.0, upgrade to version 2.19.0 or later to secure the system against this threat. For users unable to upgrade, ensure that `allow custom connector functions` in `fides.toml` and the `FIDES SECURITY ALLOW CUSTOM CONNECTOR FUNCTIONS` environment variable are both either unset or explicitly set to `False`.