CVE-2024-45053 – This CVE describes a Server-Side Template Injec... (How to Fix)

Q: What is the severity of CVE-2024-45053?

CVE-2024-45053 has a CVSS score of 9.1 (CRITICAL). This CVE describes a Server-Side Template Injection vulnerability in Fides privacy platform's Email Templating feature. It allows privileged users (Owners or Contributors) to execute arbitrary code on the underlying Fides Webserver container. The vulnerability affects Fides versions 2.19.0 through 2.43.0.

📋 TL;DR

This CVE describes a Server-Side Template Injection vulnerability in Fides privacy platform's Email Templating feature. It allows privileged users (Owners or Contributors) to execute arbitrary code on the underlying Fides Webserver container. The vulnerability affects Fides versions 2.19.0 through 2.43.0.

💻 Affected Systems

Products:

Fides

Versions: 2.19.0 to 2.43.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with privileged users (Owner or Contributor roles). The vulnerability is in the Email Templating feature which uses Jinja2 templating engine.

📦 What is this software?

Fides by Ethyca

View all CVEs affecting Fides →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains full control of the Fides server, accesses sensitive privacy data, and potentially pivots to other systems in the environment.

🟠

Likely Case

Privileged user escalates their access to execute arbitrary commands on the Fides container, potentially accessing or modifying sensitive privacy data stored in the system.

🟢

If Mitigated

With proper access controls and monitoring, exploitation would be limited to authorized users only, but they could still execute arbitrary code on the server.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated privileged user access. The vulnerability is in template rendering logic, making exploitation straightforward for knowledgeable attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.44.0

Vendor Advisory: https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx

Restart Required: Yes

Instructions:

1. Backup your Fides configuration and data. 2. Stop the Fides service. 3. Update to version 2.44.0 or later using your deployment method (Docker, Kubernetes, etc.). 4. Restart the Fides service. 5. Verify the update was successful.

🧯 If You Can't Patch

Restrict access to privileged roles (Owner/Contributor) to only trusted users.
Disable the Email Templating feature if not required for your use case.

🔍 How to Verify

Check if Vulnerable:

Check your Fides version. If it's between 2.19.0 and 2.43.0 inclusive, you are vulnerable.

Check Version:

docker exec fides-webserver fides --version

Verify Fix Applied:

After updating, verify the version is 2.44.0 or later and test that email templating functionality still works without allowing template injection.

📡 Detection & Monitoring

Log Indicators:

Unusual template rendering errors in Fides logs
Suspicious email template modifications by privileged users
Unexpected system commands executed from Fides process

Network Indicators:

Unusual outbound connections from Fides container
Suspicious payloads in email template API requests

SIEM Query:

source="fides" AND ("template" OR "jinja" OR "email_template") AND ("error" OR "exception" OR "exec")

📊 Metadata

CVE ID: CVE-2024-45053

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-1336

Published: September 4, 2024

Last Updated: September 6, 2024

🔗 References

https://github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5 Patch
https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45053, you might also want to check these: