CVE-2023-41319

Name of the Vulnerable Software and Affected Versions Fides versions 2.11.0 through 2.19.0

Description The Fides webserver API allows custom integrations to be uploaded as a ZIP file, which can contain YAML files and custom Python code. The custom code is executed in a restricted environment, but this sandbox can be bypassed to execute arbitrary code. This allows the execution of arbitrary code on the target system within the context of the webserver python process owner, which is root by default, and can be used to attack underlying infrastructure and integrated systems. Exploitation is limited to API clients with the CONNECTOR TEMPLATE REGISTER authorization scope, which is restricted to highly privileged users. The vulnerability can only be exploited if the security configuration parameter allow custom connector functions is enabled.

Recommendations For Fides versions 2.11.0 through 2.18.0, upgrade to version 2.19.0 or later to secure the system against this threat. For users unable to upgrade, ensure that allow custom connector functions in fides.toml and the FIDES SECURITY ALLOW CUSTOM CONNECTOR FUNCTIONS environment variable are both either unset or explicitly set to False.