CVE-2023-1305

Name of the Vulnerable Software and Affected Versions InsightCloudSec versions prior to 23.2.1

Description An authenticated attacker can leverage an exposed “box” object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023.

Recommendations For versions prior to 23.2.1, update to version 23.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the exposed “box” object until the update is applied.