CVE-2024-38363 HIGH

CVE-2024-38363: Remote Code Execution (RCE) via Server Side Template Injection (SSTI) in Airbyte

Vendor Airbytehq
Product airbyte
Weakness CWE-1336
Published July 9, 2024
Last update August 2, 2024

CVSS base score

8.6/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Airbyte is a data integration platform for ELT pipelines. Airbyte connection builder docker image is vulnerable to RCE via SSTI which allows an authenticated remote attacker to execute arbitrary code on the server as the web server user. The connection builder is used to create and test new connectors. Sensitive information, such as credentials, could be exposed if a user tested a new connector on a compromised instance. The connection builder does not have access to any data processes. This vulnerability is fixed in 0.62.2.

Key dates

02Disclosure timeline

July 9, 2024 CVE published
August 2, 2024 Record updated