Rapid7 InsightCloudSec box object access

Vulnerability

An authenticated attacker with access to the InsightCloudSec (formerly DivvyCloud) bot framework can leverage an exposed box object to read and write arbitrary files from the server's filesystem, provided those files are parsable as YAML or JSON. The vulnerability exists in the bot engine's Jinja2 template rendering functionality. The issue affects all versions prior to the Managed and SaaS deployments patched on February 1, 2023, and version 23.2.1 of the Self-Managed deployment [1][2].

Exploitation

To exploit this vulnerability, an attacker must first have the ability to create or edit bots within InsightCloudSec. This requires at minimum the "Bot creator" or "Bot editor" role. The attacker then creates a bot with a filter that triggers execution, and embeds a Jinja2 template that references the exposed box object to read or write arbitrary files. The attacker can control the file path and content, limited to files that can be parsed as YAML or JSON [1].

Impact

Successful exploitation allows an authenticated attacker to read sensitive files from the server (information disclosure) and write arbitrary YAML/JSON files (potential data corruption or code injection). The attacker gains access at the privilege level of the application process, which could potentially lead to further server compromise [1].

Mitigation

The vulnerability was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec. Users should upgrade to the latest version. No workarounds are documented; the fix prevents the misuse of the box object in Jinja2 templates [1][2].