3 matches found
CVE-2023-1305
CVE-2023-1305 affects Rapid7 InsightCloudSec where an authenticated attacker could leverage an exposed “box” object to read and write arbitrary files on disk as long as they are parsable as YAML/JSON. The issue has been mitigated in the Managed and SaaS deployments as of February 1, 2023 and in t...
CVE-2023-1306
CVE-2023-1306 affects Rapid7 InsightCloudSec. An authenticated attacker could abuse an exposed resource.db() accessor to smuggle Python methods via a Jinja template, enabling code execution. Mitigation: upgrade to InsightCloudSec 23.2.1 (Self-Managed) or apply the managed/SaaS patch released on 2...
CVE-2023-1304
CVE-2023-1304 affects InsightCloudSec. An authenticated attacker can use an exposed getattr() via a Jinja template to smuggle OS commands and invoke actions normally restricted to private methods. Affected are InsightCloudSec versions prior to the fixes; the issue was resolved in Managed and SaaS...