CVE-2024-5023: 
Python vulnerability analysis and mitigation

A critical command injection vulnerability (CVE-2024-5023) was discovered in Netflix ConsoleMe affecting versions before 1.4.0. The vulnerability allows authenticated users to perform command injection through improper neutralization of special elements in commands. The issue was disclosed on May 16, 2024, and primarily affects deployments of ConsoleMe that allow templated resources (Netflix Advisory).

The vulnerability stems from improper sanitization of user-supplied filenames in the self-service flow for templated resources. When processing JSON post bodies containing filenames for templated resources, the application passes the user-supplied filename directly as a string to a CLI command without proper validation. This allows attackers to input command flags instead of filenames. The vulnerability has received a CVSS v4.0 base score of 9.3 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N (Netflix Advisory).

The vulnerability allows authenticated users to achieve limited Remote Code Execution (RCE) in ConsoleMe, though currently restricted to flag inputs on a single CLI command. While full RCE is considered unlikely, the vulnerability enables authenticated users to read any server files accessible by the ConsoleMe process. Given ConsoleMe's role as an AWS identity broker, accessing files containing secrets on the server could potentially be exploited for privilege escalation (Netflix Advisory).

The vulnerability has been patched in ConsoleMe version 1.4.0 via PR #9380. For organizations unable to upgrade immediately, there are two alternative mitigations: 1) selectively applying the code changes from the patch PR, or 2) removing the configuration item cacheresourcetemplates.repositories or setting it as an empty array. Note that the second option will disable templated resources functionality (Netflix Advisory).