CVE-2024-38363

Name of the Vulnerable Software and Affected Versions Airbyte versions prior to 0.62.2

Description The Airbyte connection builder docker image is vulnerable to remote code execution (RCE) via server-side template injection (SSTI), allowing an authenticated remote attacker to execute arbitrary code on the server as the web server user. This vulnerability could expose sensitive information, such as credentials, if a user tests a new connector on a compromised instance. However, the connection builder does not have access to any data processes.

Recommendations For versions prior to 0.62.2, update to version 0.62.2 to resolve the issue. As a temporary workaround, consider restricting access to the connection builder to minimize the risk of exploitation.