CVE-2023-45672

Summary

CVE-2023-45672 is a vulnerability affecting the open-source network video recorder Frigate. Before version 0.13.0 Beta 3, an unsafe deserialization issue was discovered in the configuration saving endpoints. An attacker can exploit this vulnerability, resulting in unauthenticated remote code execution. This can be accomplished through the UI or the API. The attacker requires specific information about the target Frigate server and needs an authenticated user to click a malicious link. The exploit begins with the acceptance of user-supplied input in `http.py`, which is then loaded unsanitized in `load_config_with_no_duplicates`. The attacker's payload is executed directly at `frigate/util/builtin.py:110`. This vulnerability poses a risk for pre-authenticated remote code execution. Version 0.13.0 Beta 3 has been released with a patch to address this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.