CVE-2023-45672

Name of the Vulnerable Software and Affected Versions Frigate versions prior to 0.13.0 Beta 3

Description Frigate is an open source network video recorder. An unsafe deserialization vulnerability was identified in the endpoints used to save configurations for Frigate, which can lead to unauthenticated remote code execution. This can be performed through the UI at "/config" or through a direct call to "/api/config/save". Exploiting this vulnerability requires the attacker to know specific information about a user's Frigate server and to trick an authenticated user into clicking a specially crafted link to their Frigate instance. The vulnerability can be exploited if Frigate is publicly exposed to the internet, the attacker knows the address of a user's Frigate instance, and the attacker can get an authenticated user to visit a specialized page and click a button/link. Input is initially accepted through http.py and then parsed and loaded by load config with no duplicates, which does not sanitize the input due to using yaml.loader.Loader. A provided payload will be executed directly at frigate/util/builtin.py:110, potentially leading to pre-authenticated Remote Code Execution.

Recommendations For versions prior to 0.13.0 Beta 3, update to version 0.13.0 Beta 3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/config" UI endpoint and the "/api/config/save" API endpoint to minimize the risk of exploitation. Additionally, avoid publicly exposing Frigate to the internet and limit access to trusted users to reduce the attack surface.