Lucene search

CVE-2023-1306

🗓️ 21 Mar 2023 17:11:15Reported by rapid7Type

Authenticated attacker exploits resource.db() to smuggle Python calls via Jinja template, leading to code execution. Managed and SaaS deployments fixed on Feb 1, 2023. Self-Managed InsightCloudSec v23.2.1 fixed.

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 4
Cvelist	CVE-2023-1306 Rapid7 InsightCloudSec resource.db() method access	21 Mar 202316:53	–	cvelist
Vulnrichment	CVE-2023-1306 Rapid7 InsightCloudSec resource.db() method access	21 Mar 202316:53	–	vulnrichment
NVD	CVE-2023-1306	21 Mar 202317:15	–	nvd
Prion	Design/Logic Flaw	21 Mar 202317:15	–	prion

Nvd

Node

rapid7 insightappsecRange<23.2.1self-managed

rapid7 insightcloudsecRange<2023.02.01managed

rapid7 insightcloudsecRange<2023.02.01saas

[
  {
    "defaultStatus": "unaffected",
    "product": "InsightCloudSec",
    "vendor": "Rapid7",
    "versions": [
      {
        "lessThanOrEqual": "23.2.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
docs	www.docs.divvycloud.com/changelog/23321-release-notes
nephosec	www.nephosec.com/exploiting-rapid7s-insightcloudsec/

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

21 Mar 2023 17:15Current

8.7High risk

Vulners AI Score8.7

CVSS38.8

EPSS0.00253

SSVC

CWE-94

cve-2023-1306 authenticated attacker resource.db()jinja template code execution managed deployment saas deployment self-managed insightcloudsec