CVE-2024-45053

Name of the Vulnerable Software and Affected Versions Fides versions 2.19.0 through 2.43.x

Description The Email Templating feature in Fides uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default Owner or Contributor role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability allows an attacker with sufficient privileges to execute arbitrary code remotely and escalate their privileges to those of a user on the Fides Webserver container, granting control of the Fides Webserver application and unauthorized access to integrated resources.

Recommendations For Fides versions 2.19.0 through 2.43.x, upgrade to version 2.44.0 or later to secure your system against this threat. As a temporary workaround, consider restricting access to the Email Templating feature for non-privileged users until a patch is applied. Restrict access to the PUT /api/v1/messaging/templates/ API endpoint to minimize the risk of exploitation. Avoid using the messaging-template:update scope for OAuth clients until the issue is resolved. At the moment, there is no other information about additional workarounds.