Remote Code Execution via Jinja2 SSTI
A vulnerability in autogluon.multimodal (all versions prior to 1.1.0) allows remote code execution through Server-Side Template Injection (SSTI) due to improper neutralization of special elements in the Jinja2 template engine. This issue was patched in version 1.1.0.
Available publicly on Jul 08 2024
Threat Overview
The vulnerability arises from the use of the Jinja2 template engine without a sandbox in the autogluon.multimodal.data.templates module. When the content of the template file can be controlled, an attacker can exploit this to execute arbitrary system commands. This can lead to full system compromise, allowing the attacker to gain unauthorized access and control over the affected system.
Attack Scenario
An attacker crafts a malicious template file containing a payload that exploits the SSTI vulnerability. By injecting a payload that accesses the Popen class from Python's subprocess module, the attacker can execute arbitrary system commands. For example, the attacker can use the payload {{ ().__class__.__base__.__subclasses__()[380]('ls') }}
to list directory contents. When this template is processed by the autogluon.multimodal.data.templates module, the command is executed on the server, giving the attacker control over the system.
Who is affected
Users of autogluon.multimodal versions prior to 1.1.0 who process user-controlled template files are affected by this vulnerability. This includes developers and organizations using autogluon for machine learning tasks that involve template rendering.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.