CVE-2023-1306 Information

Description

An authenticated attacker can leverage an exposed resource.db() accessor method to smuggle Python method calls via a Jinja template which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1 2023 and in version 23.2.1 of the Self-Managed version of InsightCloudSec.

Reference

https://nephosec.com/exploiting-rapid7s-insightcloudsec/ https://docs.divvycloud.com/changelog/23321-release-notes