CVE-2024-38363

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-38363
Airbyte is a data integration platform for ELT pipelines. Airbyte connection builder docker image is vulnerable to RCE via SSTI which allows an authenticated remote attacker to execute arbitrary code on the server as the web server user. The connection builder is used to create and test new connectors. Sensitive information, such as credentials, could be exposed if a user tested a new connector on a compromised instance. The connection builder does not have access to any data processes. This vulnerability is fixed in 0.62.2.

8.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq
https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq
Configurations

No configuration.

History

21 Nov 2024, 09:25

Type Values Removed Values Added
References () https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq - () https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq -
Summary
  • (es) Airbyte es una plataforma de integración de datos para tuberías ELT. La imagen acoplable del generador de conexiones Airbyte es vulnerable a RCE a través de SSTI, lo que permite a un atacante remoto autenticado ejecutar código arbitrario en el servidor como usuario del servidor web. El generador de conexiones se utiliza para crear y probar nuevos conectores. La información confidencial, como las credenciales, podría quedar expuesta si un usuario probara un nuevo conector en una instancia comprometida. El creador de conexiones no tiene acceso a ningún proceso de datos. Esta vulnerabilidad se solucionó en 0.62.2.

09 Jul 2024, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-09 15:15

Updated : 2024-11-21 09:25

NVD link : CVE-2024-38363

Mitre link : CVE-2024-38363

CVE.ORG link : CVE-2024-38363

JSON object : View

Products Affected

No product.

CWE
CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine