Rapid7 InsightCloudSec getattr() method access

Vulnerability

An authenticated attacker can leverage an exposed getattr() method via a Jinja template in InsightCloudSec (formerly DivvyCloud) to smuggle OS commands and access private methods. The issue affects the bot framework, which allows Jinja templating within email body content. This vulnerability is present in all versions prior to the Managed and SaaS deployments fixed on February 1, 2023, and prior to version 23.2.1 of the Self-Managed version [1][2].

Exploitation

To exploit CVE-2023-1304, an authenticated user must have privileges to create or edit bots (roles: Bot creator or Bot editor). The attacker creates a bot that monitors a resource and includes a malicious Jinja template in the email body. When the bot is triggered (e.g., by a specific event like a world-accessible RDP rule), the template is rendered by the application’s Jinja engine, allowing the attacker to invoke getattr() and execute arbitrary OS commands or call private methods [1].

Impact

Successful exploitation allows an authenticated attacker with bot permissions to achieve remote code execution (RCE) on the InsightCloudSec instance. The attacker can smuggle OS commands, potentially leading to full compromise of the application and its underlying infrastructure, including data exfiltration, lateral movement, and further privilege escalation [1].

Mitigation

The vulnerability was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed release of InsightCloudSec (release notes documentation). Users should upgrade to version 23.2.1 or later, or ensure their Managed/SaaS deployment is updated. No workarounds are documented; applying the fixed version is the recommended mitigation [1][2].