{"id":"CVE-2024-38363","summary":"Remote Code Execution (RCE) via Server Side Template Injection (SSTI) in Airbyte","details":"Airbyte is a data integration platform for ELT pipelines. Airbyte connection builder docker image is vulnerable to RCE via SSTI which allows an authenticated remote attacker to execute arbitrary code on the server as the web server user. The connection builder is used to create and test new connectors. Sensitive information, such as credentials, could be exposed if a user tested a new connector on a compromised instance. The connection builder does not have access to any data processes. This vulnerability is fixed in 0.62.2.","aliases":["GHSA-4j3c-fgvx-xgqq"],"modified":"2026-04-10T06:11:06.063229Z","published":"2024-07-09T14:10:47.792Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38363.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-1336"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38363.json"},{"type":"ADVISORY","url":"https://github.com/airbytehq/airbyte/security/advisories/GHSA-4j3c-fgvx-xgqq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38363"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/airbytehq/airbyte","events":[{"introduced":"0"},{"fixed":"d2e4cd4cb6b7f3169475aa711b79ff522ab90709"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.62.2"}]}}],"versions":["java-cdk-0.28.0","list","v0","v0.1.0-alpha","v0.10.0-alpha","v0.11.0-alpha","v0.11.1-alpha","v0.11.2-alpha","v0.12.0-alpha","v0.12.1-alpha","v0.13.0-alpha","v0.13.1-alpha","v0.14.0-alpha","v0.14.1-alpha","v0.14.2-alpha","v0.14.3-alpha","v0.14.4-alpha","v0.15.0-alpha","v0.16.0-alpha","v0.16.1-alpha","v0.17.0-alpha","v0.17.1-alpha","v0.17.2-alpha","v0.18.0-alpha","v0.18.1-alpha","v0.18.2-alpha","v0.2.0-alpha","v0.20.0-alpha","v0.21.0-alpha","v0.21.1-alpha","v0.22","v0.22.0-alpha","v0.22.1-alpha","v0.22.2-alpha","v0.22.3-alpha","v0.23.0-alpha","v0.24.0-alpha","v0.24.1-alpha","v0.24.2-alpha","v0.24.3-alpha","v0.24.4-alpha","v0.24.5-alpha","v0.24.6-alpha","v0.24.7-alpha","v0.24.8-alpha","v0.25.0-alpha","v0.26.0-alpha","v0.26.1-alpha","v0.26.2-alpha","v0.26.3-alpha","v0.26.4-alpha","v0.27.0-alpha","v0.27.1-alpha","v0.27.2-alpha","v0.27.3-alpha","v0.27.4-alpha","v0.27.5-alpha","v0.28.0-alpha","v0.28.1","v0.28.1-alpha","v0.28.2-alpha","v0.29.0-alpha","v0.29.1-alpha","v0.29.10-alpha","v0.29.11-alpha","v0.29.12-alpha","v0.29.13-alpha","v0.29.14-alpha","v0.29.15-alpha","v0.29.16-alpha","v0.29.17-alpha","v0.29.18-alpha","v0.29.19-alpha","v0.29.2-alpha","v0.29.20-alpha","v0.29.21-alpha","v0.29.22-alpha","v0.29.3-alpha","v0.29.4-alpha","v0.29.5-alpha","v0.29.8-alpha","v0.29.9","v0.29.9-alpha","v0.3.0-alpha","v0.30.0-alpha","v0.30.1-alpha","v0.30.10-alpha","v0.30.11-alpha","v0.30.12-alpha","v0.30.13-alpha","v0.30.14-alpha","v0.30.15-alpha","v0.30.16-alpha","v0.30.17-alpha","v0.30.18-alpha","v0.30.19-alpha","v0.30.2-alpha","v0.30.20-alpha","v0.30.21-alpha","v0.30.22-alpha","v0.30.23-alpha","v0.30.24-alpha","v0.30.25-alpha","v0.30.26-alpha","v0.30.27-alpha","v0.30.28-alpha","v0.30.29-alpha","v0.30.3-alpha","v0.30.30-alpha","v0.30.31-alpha","v0.30.32-alpha","v0.30.33-alpha","v0.30.34-alpha","v0.30.35-alpha","v0.30.36-alpha","v0.30.37-alpha","v0.30.38-alpha","v0.30.39-alpha","v0.30.4-alpha","v0.30.5-alpha","v0.30.6-alpha","v0.30.7-alpha","v0.30.8-alpha","v0.30.9-alpha","v0.31.0-alpha","v0.32.0-alpha","v0.32.1-alpha","v0.32.10-alpha","v0.32.11-alpha","v0.32.2-alpha","v0.32.3-alpha","v0.32.4-alpha","v0.32.5-alpha","v0.32.6-alpha","v0.32.7-alpha","v0.32.8-alpha","v0.32.9-alpha","v0.33.0-alpha","v0.33.1-alpha","v0.33.10-alpha","v0.33.11-alpha","v0.33.12-alpha","v0.33.2-alpha","v0.33.3-alpha","v0.33.4-alpha","v0.33.5-alpha","v0.33.6-alpha","v0.33.7-alpha","v0.33.8-alpha","v0.33.9-alpha","v0.34.0-alpha","v0.34.1-alpha","v0.34.2-alpha","v0.34.3-alpha","v0.34.4-alpha","v0.35.0-alpha","v0.35.1-alpha","v0.35.10-alpha","v0.35.11-alpha","v0.35.12-alpha","v0.35.13-alpha","v0.35.14-alpha","v0.35.15-alpha","v0.35.16-alpha","v0.35.17-alpha","v0.35.18-alpha","v0.35.19-alpha","v0.35.2-alpha","v0.35.20-alpha","v0.35.21-alpha","v0.35.22-alpha","v0.35.23-alpha","v0.35.24-alpha","v0.35.25-alpha","v0.35.26-alpha","v0.35.27-alpha","v0.35.28-alpha","v0.35.29-alpha","v0.35.3-alpha","v0.35.30-alpha","v0.35.31-alpha","v0.35.32-alpha","v0.35.33-alpha","v0.35.34-alpha","v0.35.35-alpha","v0.35.36-alpha","v0.35.37-alpha","v0.35.38-alpha","v0.35.39-alpha","v0.35.4-alpha","v0.35.40-alpha","v0.35.41-alpha","v0.35.42-alpha","v0.35.43-alpha","v0.35.44-alpha","v0.35.45-alpha","v0.35.46-alpha","v0.35.47-alpha","v0.35.48-alpha","v0.35.49-alpha","v0.35.5-alpha","v0.35.50-alpha","v0.35.51-alpha","v0.35.52-alpha","v0.35.53-alpha","v0.35.54-alpha","v0.35.55-alpha","v0.35.56-alpha","v0.35.57-alpha","v0.35.58-alpha","v0.35.59-alpha","v0.35.6-alpha","v0.35.60-alpha","v0.35.61-alpha","v0.35.62-alpha","v0.35.63-alpha","v0.35.64-alpha","v0.35.65-alpha","v0.35.66-alpha","v0.35.67-alpha","v0.35.68-alpha","v0.35.7-alpha","v0.35.8-alpha","v0.35.9-alpha","v0.36.0-alpha","v0.36.1-alpha","v0.36.10-alpha","v0.36.11-alpha","v0.36.2-alpha","v0.36.3-alpha","v0.36.4-alpha","v0.36.5-alpha","v0.36.6-alpha","v0.36.7-alpha","v0.36.8-alpha","v0.36.9-alpha","v0.37.0-alpha","v0.37.1-alpha","v0.38.0-alpha","v0.38.1-alpha","v0.38.2-alpha","v0.38.3-alpha","v0.38.4-alpha","v0.39.0-alpha","v0.39.1-alpha","v0.39.10-alpha","v0.39.11-alpha","v0.39.12-alpha","v0.39.13-alpha","v0.39.14-alpha","v0.39.15-alpha","v0.39.16-alpha","v0.39.17-alpha","v0.39.18-alpha","v0.39.19-alpha","v0.39.2-alpha","v0.39.20-alpha","v0.39.21-alpha","v0.39.22-alpha","v0.39.23-alpha","v0.39.24-alpha","v0.39.25-alpha","v0.39.26-alpha","v0.39.27-alpha","v0.39.28-alpha","v0.39.29-alpha","v0.39.3-alpha","v0.39.30-alpha","v0.39.31-alpha","v0.39.32-alpha","v0.39.33-alpha","v0.39.34-alpha","v0.39.35-alpha","v0.39.36-alpha","v0.39.37-alpha","v0.39.38-alpha","v0.39.39-alpha","v0.39.4-alpha","v0.39.40-alpha","v0.39.41-alpha","v0.39.42-alpha","v0.39.5-alpha","v0.39.6-alpha","v0.39.7-alpha","v0.39.8-alpha","v0.39.9-alpha","v0.4.0-alpha","v0.40.0-alpha","v0.40.1","v0.40.10","v0.40.11","v0.40.12","v0.40.13","v0.40.14","v0.40.15","v0.40.16","v0.40.17","v0.40.18","v0.40.18-helm","v0.40.19","v0.40.2","v0.40.20","v0.40.21","v0.40.22","v0.40.23","v0.40.24","v0.40.25","v0.40.26","v0.40.27","v0.40.28","v0.40.29","v0.40.3","v0.40.30","v0.40.31","v0.40.32","v0.40.4","v0.40.5","v0.40.6","v0.40.7","v0.40.8","v0.40.9","v0.41.0","v0.42.0","v0.42.1","v0.43.0","v0.43.1","v0.43.2","v0.44.0","v0.44.1","v0.44.12","v0.44.2","v0.44.3","v0.44.4","v0.5.0-alpha","v0.5.3-alpha","v0.50.0","v0.50.1","v0.50.10","v0.50.11","v0.50.12","v0.50.13","v0.50.14","v0.50.15","v0.50.16","v0.50.17","v0.50.18","v0.50.19","v0.50.2","v0.50.20","v0.50.21","v0.50.3","v0.50.31","v0.50.32","v0.50.33","v0.50.34","v0.50.35","v0.50.36","v0.50.37","v0.50.38","v0.50.39","v0.50.4","v0.50.40","v0.50.41","v0.50.42","v0.50.43","v0.50.44","v0.50.45","v0.50.46","v0.50.47","v0.50.48","v0.50.49","v0.50.5","v0.50.50","v0.50.51","v0.50.52","v0.50.53","v0.50.54","v0.50.6","v0.50.7","v0.50.8","v0.50.9","v0.51.0","v0.52.0","v0.52.1","v0.53.0","v0.53.1","v0.54.0","v0.55.0","v0.55.1","v0.55.2","v0.56.0","v0.57.0","v0.57.1","v0.57.2","v0.57.3","v0.57.4","v0.58.0","v0.58.1","v0.59.0","v0.59.1","v0.6.0-alpha","v0.6.2-alpha","v0.60.0","v0.60.1","v0.61.0","v0.62.0","v0.62.1","v0.8.0-alpha","v0.9.0-alpha","v0.9.1-alpha","v0.9.2-alpha"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38363.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}