CVE-2023-1304 Information

Description

An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1 2023 and in version 23.2.1 of the Self-Managed version of InsightCloudSec.

Reference

https://nephosec.com/exploiting-rapid7s-insightcloudsec/ https://docs.divvycloud.com/changelog/23321-release-notes