Arbitrary Code Execution Affecting ethyca-fides package, versions [2.11.0,2.19.0)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-ETHYCAFIDES-5885141
- published 7 Sep 2023
- disclosed 6 Sep 2023
- credit grmpyninja
Introduced: 6 Sep 2023
CVE-2023-41319 Open this link in a new tabHow to fix?
Upgrade ethyca-fides to version 2.19.0 or higher.
Overview
ethyca-fides is an Open-source ecosystem for data privacy as code.
Affected versions of this package are vulnerable to Arbitrary Code Execution when the Fides webserver API is used to upload a ZIP file containing custom Python code. An attacker can execute arbitrary code on the target system within the context of the webserver python process owner on the webserver container, which by default is root, and leverage that access to attack underlying infrastructure and integrated systems by bypassing the sandboxed environment.
Note:
This is only exploitable if the security configuration parameter allow_custom_connector_functions is enabled by the user deploying the Fides webserver container, either in fides.toml or by setting the env var FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS=True.
Workaround
This vulnerability can be mitigated by ensuring that allow_custom_connector_functions in fides.toml and the FIDES__SECURITY__ALLOW_CUSTOM_CONNECTOR_FUNCTIONS are both either unset or explicitly set to False.