High severityNVD Advisory· Published Sep 4, 2024· Updated Sep 4, 2024
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
CVE-2024-45053
Description
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default Owner or Contributor role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version 2.44.0. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ethyca-fidesPyPI | >= 2.19.0, < 2.44.0 | 2.44.0 |
Affected products
1Patches
19 files changed · +182 −67
CHANGELOG.md+3 −0 modified@@ -38,6 +38,9 @@ The types of changes are: - TCF Optimized for performance on initial load by offsetting most experience data until after banner is shown [#5230](https://github.com/ethyca/fides/pull/5230) - Updates to support DynamoDB schema with Tokenless IAM auth [#5240](https://github.com/ethyca/fides/pull/5240) +### Security +- Removed Jinja2 for email templates, the variables syntax changed from `{{variable_name}}` to `__VARIABLE_NAME__` [CVE-2024-45053](https://github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qx) + ### Developer Experience - Sourcemaps are now working for fides-js in debug mode [#5222](https://github.com/ethyca/fides/pull/5222)
src/fides/api/alembic/migrations/versions/eef4477c37d0_changes_the_email_template_variables_.py+47 −0 added@@ -0,0 +1,47 @@ +"""Changes the email template variables syntax from {{variable_name}} to __VARIABLE_NAME__. + +Revision ID: eef4477c37d0 +Revises: cc37edf20859 +Create Date: 2024-09-03 12:47:54.708196 + +""" +from alembic import op + + +# revision identifiers, used by Alembic. +revision = 'eef4477c37d0' +down_revision = 'cc37edf20859' +branch_labels = None +depends_on = None + + +VARIABLES = ["minutes", "days", "denial_reason", "code", "download_link"] +JSON_VARIABLES = ["subject", "body"] + + +def upgrade(): + for json_variable in JSON_VARIABLES: + for variable in VARIABLES: + statement = f""" + UPDATE messaging_template + SET content = jsonb_set( + content, + '{{{json_variable}}}', + to_jsonb(REPLACE(content ->> '{json_variable}', '{{{{{variable}}}}}', '__{variable.upper()}__')) + ); + """ + op.execute(statement) + + +def downgrade(): + for json_variable in JSON_VARIABLES: + for variable in VARIABLES: + statement = f""" + UPDATE messaging_template + SET content = jsonb_set( + content, + '{{{json_variable}}}', + to_jsonb(REPLACE(content ->> '{json_variable}', '__{variable.upper()}__', '{{{{{variable}}}}}')) + ); + """ + op.execute(statement)
src/fides/api/models/messaging_template.py+4 −4 modified@@ -19,8 +19,8 @@ MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value: { "label": "Subject identity verification", "content": { - "subject": "Your one-time code is {{code}}", - "body": "Your privacy request verification code is {{code}}. Please return to the Privacy Center and enter the code to continue. This code will expire in {{minutes}} minutes.", + "subject": "Your one-time code is __CODE__", + "body": "Your privacy request verification code is __CODE__. Please return to the Privacy Center and enter the code to continue. This code will expire in __MINUTES__ minutes.", }, }, MessagingActionType.PRIVACY_REQUEST_RECEIPT.value: { @@ -41,14 +41,14 @@ "label": "Privacy request denied", "content": { "subject": "Your privacy request has been denied", - "body": "Your privacy request has been denied. {{denial_reason}}.", + "body": "Your privacy request has been denied. __DENIAL_REASON__.", }, }, MessagingActionType.PRIVACY_REQUEST_COMPLETE_ACCESS.value: { "label": "Access request completed", "content": { "subject": "Your data is ready to be downloaded", - "body": "Your access request has been completed and can be downloaded at {{download_link}}. For security purposes, this secret link will expire in {{days}} days.", + "body": "Your access request has been completed and can be downloaded at __DOWNLOAD_LINK__. For security purposes, this secret link will expire in __DAYS__ days.", }, }, MessagingActionType.PRIVACY_REQUEST_COMPLETE_DELETION.value: {
src/fides/api/service/messaging/message_dispatch_service.py+5 −4 modified@@ -5,7 +5,6 @@ import requests import sendgrid -from jinja2 import Environment from loguru import logger from sendgrid.helpers.mail import Content, Email, Mail, Personalization, TemplateId, To from sqlalchemy.orm import Session @@ -384,9 +383,11 @@ def _render(template_str: str, variables: Optional[Dict] = None) -> str: """Helper function to render a template string with the provided variables.""" if variables is None: variables = {} - jinja_env = Environment() - template = jinja_env.from_string(template_str) - return template.render(variables) + + for key, value in variables.items(): + template_str = template_str.replace(f"__{key.upper()}__", str(value)) + + return template_str def _build_email( # pylint: disable=too-many-return-statements
tests/fixtures/application_fixtures.py+8 −8 modified@@ -401,8 +401,8 @@ def property_b(db: Session) -> Generator: def messaging_template_with_property_disabled(db: Session, property_a) -> Generator: template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value content = { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } data = { "content": content, @@ -422,8 +422,8 @@ def messaging_template_with_property_disabled(db: Session, property_a) -> Genera def messaging_template_no_property_disabled(db: Session) -> Generator: template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value content = { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } data = { "content": content, @@ -443,8 +443,8 @@ def messaging_template_no_property_disabled(db: Session) -> Generator: def messaging_template_no_property(db: Session) -> Generator: template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value content = { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } data = { "content": content, @@ -466,8 +466,8 @@ def messaging_template_subject_identity_verification( ) -> Generator: template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value content = { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } data = { "content": content,
tests/ops/api/v1/endpoints/test_messaging_endpoints.py+8 −8 modified@@ -1944,8 +1944,8 @@ def payload(self) -> List[Dict[str, Any]]: { "type": "subject_identity_verification", "content": { - "body": "Your privacy request verification code is {{code}}. Please return to the Privacy Center and enter the code to continue. You have {{minutes}} minutes.", - "subject": "Your code is {{code}}", + "body": "Your privacy request verification code is __CODE__. Please return to the Privacy Center and enter the code to continue. You have __MINUTES__ minutes.", + "subject": "Your code is __CODE__", }, }, ] @@ -1979,8 +1979,8 @@ def test_put_messaging_templates( { "type": "subject_identity_verification", "content": { - "body": "Your privacy request verification code is {{code}}. Please return to the Privacy Center and enter the code to continue. You have {{minutes}} minutes.", - "subject": "Your code is {{code}}", + "body": "Your privacy request verification code is __CODE__. Please return to the Privacy Center and enter the code to continue. You have __MINUTES__ minutes.", + "subject": "Your code is __CODE__", }, "label": "Subject identity verification", } @@ -2015,8 +2015,8 @@ def test_put_messaging_templates_missing_values( { "type": "subject_identity_verification", "content": { - "body": "Your privacy request verification code is {{code}}. Please return to the Privacy Center and enter the code to continue. This code will expire in {{minutes}} minutes.", - "subject": "Your one-time code is {{code}}", + "body": "Your privacy request verification code is __CODE__. Please return to the Privacy Center and enter the code to continue. This code will expire in __MINUTES__ minutes.", + "subject": "Your one-time code is __CODE__", }, "label": "Subject identity verification", } @@ -2202,8 +2202,8 @@ def test_delete_messaging_template_by_id_success( # Creating new config, so we don't run into issues trying to clean up a deleted fixture template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value content = { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } data = { "content": content,
tests/ops/service/messaging/message_dispatch_service_test.py+8 −8 modified@@ -109,8 +109,8 @@ def test_email_dispatch_mailgun_success( Test scenario: ✅︎ Property-specific messaging is enabled ❌ No template configured for action type - - Result: Email is not sent. An explicit messaging template with matching action type is needed to send emails for + + Result: Email is not sent. An explicit messaging template with matching action type is needed to send emails for property-specific messaging """ @@ -140,7 +140,7 @@ def test_email_dispatch_property_specific_templates_enabled_no_template( Test scenario: ❌ Property-specific messaging is disabled ✅︎ Has template configured for action type - + Result: Email sent the template configured with matching action type. """ @@ -178,7 +178,7 @@ def test_email_dispatch_property_specific_templates_disabled_with_template( Test scenario: ❌ Property-specific messaging is disabled ❌ No template configured for action type - + Result: Email sent with default messaging template. """ @@ -217,7 +217,7 @@ def test_email_dispatch_property_specific_templates_disabled_no_template( ✅︎ Has template configured for action type ❌ No property id attached to template ❌ No property id in request - + Result: Email not sent. There was no explicit property id linked to the template with matching action type. """ @@ -250,7 +250,7 @@ def test_email_dispatch_property_specific_templates_enabled_with_template_no_pro ✅︎ Has template configured for action type ✅︎ Default property id attached to template ❌ No property id in request - + Result: Email sent using template linked to default property id. If no property id was received, we assume the default property id to look up the associated messaging template. """ @@ -294,7 +294,7 @@ def test_email_dispatch_property_specific_templates_enabled_with_template_has_pr ✅︎ Has template configured for action type ❌ No property attached to template ✅ Default property id in request - + Result: Email not sent. There was no explicit property id linked to the template with matching action type. """ @@ -328,7 +328,7 @@ def test_email_dispatch_property_specific_templates_enabled_with_template_no_pro ✅︎ Has template configured for action type ✅ Property attached to template ✅ Matching property id in request - + Result: Email sent using template with with property id """
tests/ops/service/messaging/test_message_template_render.py+64 −0 added@@ -0,0 +1,64 @@ +import pytest + +from fides.api.service.messaging.message_dispatch_service import _render + + +@pytest.mark.unit +class TestMessageTemplateRender: + + def test_template_render(self): + """ + Test that a template is rendered correctly with the given variables. + """ + template_str = """ + Your privacy request has been denied. + __DENIAL_REASON__ + """ + variables = { + "denial_reason": "Accounts with an unpaid balance cannot be deleted." + } + + expected_rendered_template = """ + Your privacy request has been denied. + Accounts with an unpaid balance cannot be deleted. + """ + + rendered_template = _render(template_str, variables) + assert rendered_template == expected_rendered_template + + def test_template_render_unsafe(self): + """ + Test that a template with unsafe code is not rendered and raises a SecurityError. + """ + template_str = """ + Your privacy request has been denied. + *bb* + {% for s in ().__class__.__base__.__subclasses__() %}{% if "warning" in s.__name__ %}{{s()._module.__builtins__['__import__']('os').popen("env").read() }}{% endif %} + {% endfor %} + __CONFIG__ + *aa* + """ + + expected_rendered_template = """ + Your privacy request has been denied. + *bb* + {% for s in ().__class__.__base__.__subclasses__() %}{% if "warning" in s.__name__ %}{{s()._module.__builtins__['__import__']('os').popen("env").read() }}{% endif %} + {% endfor %} + 123 + *aa* + """ + + variables = { + "config": "123", + } + + rendered_template = _render(template_str, variables) + assert rendered_template == expected_rendered_template + + template_str = "your privacy request has been denied. __CONFIG.security.app_encryption_key__" + variables = { + "config": "123", + } + + rendered_template = _render(template_str, variables) + assert rendered_template == template_str
tests/ops/service/messaging/test_messaging_crud_service.py+35 −35 modified@@ -39,8 +39,8 @@ def test_get_all_basic_messaging_templates(self, db: Session): def test_get_basic_messaging_template_by_type_existing(self, db: Session): template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value content = { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } MessagingTemplate.create_or_update( db=db, @@ -80,7 +80,7 @@ def test_create_or_update_basic_templates_existing_type( ): content = { "subject": "Test new subject", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } create_or_update_basic_templates( db, @@ -99,7 +99,7 @@ def test_create_or_update_basic_templates_new_type( ): content = { "subject": "Test new subject", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } new_template = create_or_update_basic_templates( db, @@ -124,7 +124,7 @@ def test_create_or_update_basic_templates_existing_type_multiple( ): content = { "subject": "Test new subject", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } create_or_update_basic_templates( db, @@ -298,8 +298,8 @@ def test_update_messaging_template_add_property( ): update_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, # add new property B "properties": [property_a.id, property_b.id], @@ -331,8 +331,8 @@ def test_update_messaging_template_replace_property( ): update_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, # replace property a with property b "properties": [property_b.id], @@ -362,8 +362,8 @@ def test_update_messaging_template_remove_all_properties_and_enabled( ): update_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, # Remove all properties "properties": None, @@ -385,8 +385,8 @@ def test_update_messaging_template_remove_all_properties_and_disabled( ): update_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, # Remove all properties "properties": None, @@ -417,8 +417,8 @@ def test_update_messaging_template_id_not_found( ): update_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, "properties": [property_a.id, property_b.id], "is_enabled": True, @@ -433,8 +433,8 @@ def test_update_messaging_template_property_not_found( ): update_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, "properties": [property_a.id, "invalid_property_id"], "is_enabled": True, @@ -465,8 +465,8 @@ def test_update_messaging_template_conflicting_template( ): update_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, # this property is already being used by another messaging_template_subject_identity_verification template with same type "properties": [property_a.id], @@ -488,8 +488,8 @@ def test_update_messaging_template_conflicting_template_but_one_disabled( ): update_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, # this property is already being used by another template with same type, but is not enabled, so this is fine "properties": [property_a.id], @@ -514,8 +514,8 @@ def test_create_messaging_template(self, db: Session, property_a): template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value create_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, "properties": [property_a.id], "is_enabled": True, @@ -538,8 +538,8 @@ def test_create_messaging_template_no_properties(self, db: Session): template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value create_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, "is_enabled": True, } @@ -555,8 +555,8 @@ def test_create_messaging_template_invalid_type(self, db: Session, property_a): template_type = "invalid" create_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, "properties": [property_a.id], "is_enabled": True, @@ -574,8 +574,8 @@ def test_create_messaging_template_property_not_found( template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value create_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, "properties": [property_a.id, "invalid_id"], "is_enabled": True, @@ -603,8 +603,8 @@ def test_create_messaging_template_conflicting_template_but_one_disabled( template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value create_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, "properties": [property_a.id], "is_enabled": False, @@ -630,8 +630,8 @@ def test_create_messaging_template_conflicting_template( template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value create_body = { "content": { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", }, # this property is already being used by another template with same type "properties": [property_a.id], @@ -653,8 +653,8 @@ def test_delete_template_by_id( # Create message template template_type = MessagingActionType.SUBJECT_IDENTITY_VERIFICATION.value content = { - "subject": "Here is your code {{code}}", - "body": "Use code {{code}} to verify your identity, you have {{minutes}} minutes!", + "subject": "Here is your code __CODE__", + "body": "Use code __CODE__ to verify your identity, you have __MINUTES__ minutes!", } data = { "content": content,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c34r-238x-f7qxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45053ghsaADVISORY
- github.com/ethyca/fides/commit/829cbd9cb5ef9c814fbac1ed6800e8d939d359c5ghsax_refsource_MISCWEB
- github.com/ethyca/fides/security/advisories/GHSA-c34r-238x-f7qxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.