CVE-2023-1304
Summary
| CVE | CVE-2023-1304 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-03-21 17:15:00 UTC |
| Updated | 2023-11-07 04:03:00 UTC |
| Description | An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec. |
Risk And Classification
Problem Types: CWE-94
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Rapid7 | Insightappsec | All | All | All | All |
| Application | Rapid7 | Insightcloudsec | All | All | All | All |
| Application | Rapid7 | Insightcloudsec | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 23.3.21 Release Notes | MISC | docs.divvycloud.com | |
| Exploiting Rapid7’s InsightCloudSec – NephōSec | MISC | nephosec.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.