CVE-2023-45672

Frigate unsafe deserialization in `load_config_with_no_duplicates` of `frigate/util/builtin.py`

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, an unsafe deserialization vulnerability was identified in the endpoints used to save configurations for Frigate. This can lead to unauthenticated remote code execution. This can be performed through the UI at `/config` or through a direct call to `/api/config/save`. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. Input is initially accepted through `http.py`. The user-provided input is then parsed and loaded by `load_config_with_no_duplicates`. However, `load_config_with_no_duplicates` does not sanitize this input by merit of using `yaml.loader.Loader` which can instantiate custom constructors. A provided payload will be executed directly at `frigate/util/builtin.py:110`. This issue may lead to pre-authenticated Remote Code Execution. Version 0.13.0 Beta 3 contains a patch.

Frigate es una grabadora de vídeo en red de código abierto. Antes de la versión 0.13.0 Beta 3, se identificó una vulnerabilidad de deserialización insegura en los endpoints utilizados para guardar configuraciones para Frigate. Esto puede provocar la ejecución remota de código no autenticado. Esto se puede realizar a través de la interfaz de usuario en `/config` o mediante una llamada directa a `/api/config/save`. Explotar esta vulnerabilidad requiere que el atacante conozca información muy específica sobre el servidor Frigate de un usuario y requiere que se engañe a un usuario autenticado para que haga clic en un enlace especialmente manipulado a su instancia de Frigate. Esta vulnerabilidad podría ser aprovechada por un atacante en las siguientes circunstancias: Fragata expuesta públicamente a Internet (incluso con autenticación); el atacante conoce la dirección de la instancia de Frigate de un usuario; el atacante crea una página especializada que enlaza con la instancia de Frigate del usuario; El atacante encuentra una manera de lograr que un usuario autenticado visite su página especializada y haga clic en el botón/enlace. La entrada se acepta inicialmente a través de `http.py`. Luego, la entrada proporcionada por el usuario se analiza y carga mediante `load_config_with_no_duplicates`. Sin embargo, `load_config_with_no_duplicates` no sanitiza esta entrada por el mérito de usar `yaml.loader.Loader`, que puede crear instancias de constructores personalizados. Un payload proporcionado se ejecutará directamente en `frigate/util/builtin.py:110`. Este problema puede provocar una ejecución remota de código previamente autenticada. La versión 0.13.0 Beta 3 contiene un parche.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-10 CVE Reserved
2023-10-30 CVE Published
2024-08-02 CVE Updated
2024-08-02 First Exploit
2024-11-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (5)

URL	Tag	Source
https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/config.py#L1244-L1244	Product
https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/http.py#L998-L998	Product
https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/util/builtin.py#L110-L110	Product
https://securitylab.github.com/advisories/GHSL-2023-190_Frigate	X_refsource_misc

URL	Date	SRC
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-qp3h-4q62-p428	2024-08-02

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Frigate Search vendor "Frigate"		Frigate Search vendor "Frigate" for product "Frigate"				<= 0.13.0 Search vendor "Frigate" for product "Frigate" and version " <= 0.13.0"		-		Affected
Frigate Search vendor "Frigate"		Frigate Search vendor "Frigate" for product "Frigate"				0.13.0 Search vendor "Frigate" for product "Frigate" and version "0.13.0"		beta1		Affected
Frigate Search vendor "Frigate"		Frigate Search vendor "Frigate" for product "Frigate"				0.13.0 Search vendor "Frigate" for product "Frigate" and version "0.13.0"		beta2		Affected