CVE-2024-32404 is a Server-Side Template Injection (SSTI) vulnerability identified in the inducer relate software prior to version 2024.1. SSTI vulnerabilities occur when user input is unsafely embedded into server-side templates, allowing attackers to inject malicious template expressions that the server executes. In this case, the vulnerability resides in the Markup Sandbox feature, which is intended to safely render user-generated markup. However, due to insufficient sanitization or improper sandboxing, remote attackers with high privileges can craft payloads that bypass these protections and execute arbitrary code on the server. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the system improperly handles dynamic code generation. The CVSS v3.1 base score is 6.0, reflecting a medium severity with network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and low availability impact. No public exploits have been reported yet, but the potential for remote code execution makes this a significant risk for affected deployments. The lack of patch links suggests that a fix may be forthcoming or that users should upgrade to version 2024.1 or later when available.

The primary impact of this vulnerability is unauthorized remote code execution on servers running vulnerable versions of inducer relate. This can lead to the exposure of sensitive data (high confidentiality impact), partial modification of data (low integrity impact), and limited disruption of service (low availability impact). Organizations relying on inducer relate for data processing or research could face data breaches, loss of intellectual property, or compromised system integrity. Since exploitation requires high privileges, the threat is more severe in environments where attackers can gain elevated access, such as through compromised credentials or insider threats. The vulnerability could be leveraged as a foothold for further lateral movement within networks, increasing the overall risk. Although no known exploits exist currently, the medium severity and remote exploitability warrant timely remediation to prevent potential attacks.

1. Upgrade inducer relate to version 2024.1 or later as soon as the patch is released to ensure the vulnerability is addressed. 2. Until a patch is available, restrict access to the Markup Sandbox feature to trusted users only, minimizing exposure to untrusted inputs. 3. Implement strict input validation and sanitization on all data passed to template rendering components to prevent injection of malicious payloads. 4. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious template injection patterns. 5. Monitor logs for unusual template rendering errors or unexpected code execution attempts. 6. Conduct regular privilege audits to limit the number of users with high-level access required to exploit this vulnerability. 7. Use containerization or sandboxing at the OS level to isolate the application environment, reducing the impact of potential code execution.