CVE-2024-45053: 
Python vulnerability analysis and mitigation

Fides, an open-source privacy engineering platform, was found to contain a critical vulnerability in versions 2.19.0 through 2.44.0. The vulnerability exists in the Email Templating feature which uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection (SSTI). This vulnerability was assigned CVE-2024-45053 and was disclosed on September 4, 2024 (GitHub Advisory).

The vulnerability stems from the Email Templating feature's implementation of Jinja2 templates without proper security controls. The application enables the creation of message templates that are sent via email to Fides Privacy Center users. These templates allow the use of statement and expression directives for dynamic message creation, but the Jinja2 environment used for rendering lacks restrictions on Python methods and objects. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability allows privileged users (those with Owner or Contributor roles) to execute arbitrary code remotely on the underlying Fides Webserver container. This escalated access grants attackers control of the Fides Webserver application, including unauthorized access to integrated resources such as the hosted database, hosted cache, integrated data stores, and integrated SaaS applications. The potential impacts range from denial of service to the exfiltration of sensitive data (GitHub Advisory).

The vulnerability has been patched in Fides version 2.44.0. Users are strongly advised to upgrade to this version or later to secure their systems. There are no workarounds available for this vulnerability (GitHub Advisory, NVD).