#js

### Summary The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. ### Details The application enables the creation of message templates that are sent via email to Fides Privacy Center users (data subjects) who raise privacy requests such as data subject access requests or consent management requests via the Privacy Center. These emails are triggered at various points in the request processing flow, for example when a request is denied or approved. The messages are defined using Jinja2 templates, allowing the use of statement and expression directives to craft more complex messages that includ...

A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. ### Impact This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. ### Patches The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There are no workarounds. ### Proof of Concept 1....

North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview. The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for

Debian Linux Security Advisory 5765-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

Red Hat Security Advisory 2024-6297-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2024-6274-03 - Red Hat OpenShift distributed tracing 3.3.0.

Red Hat Security Advisory 2024-6268-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2024-6267-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a use-after-free vulnerability.

### Details The `/api/v2/simulation` [POST handler](https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87) allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server. ```go # https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/hoverfly_funcs.go#L186 func (hf *Hoverfly) readResponseBodyFile(filePath string) (string, error) { if filepath.IsAbs(filePath) { return "", fmt.Errorf("bodyFile contains absolute path (%s). only relative is supported", filePath) } fileContents, err := ioutil.ReadFile(filepath.Join(hf.Cfg.ResponsesBodyFilesPath, filePath)) if err != nil { return "", err } return string(fileContents[:]), nil } ``` Note that, although the code prevents absolute paths from being specified, an attacker can escape out of the `hf.Cfg.ResponsesB...

### Impact It is possible to inject and run code within the template if the attacker has access to write the template name. ```js const { template } = require('@blakeembrey/template'); template("Hello {{name}}!", "exploit() {} && ((()=>{ console.log('success'); })()) && function pwned"); ``` ### Patches Upgrade to 1.2.0. ### Workarounds Don't pass untrusted input as the template display name, or don't use the display name feature. ### References Fixed by removing in https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa.