A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe.
Users who have authenticated access to ConsoleMe are able to disclose information and potentially run arbitrary Python code. This could be leveraged to retrieve on-instance AWS credentials. Given ConsoleMe's role as an AWS identity broker, it is likely that those credentials would grant access to other AWS IAM roles belonging to the owner of the ConsoleMe installation.
The self-service permissions update workflow in ConsoleMe applies format string evaluation to user input. This makes it possible for an attacker to use any capabilities accessible via the Format Specification Mini-Language. This leads to information disclosure of values available via field accesses. Arbitrary code execution is not a feature of the mini-language; it is possible that there are attribute-access side effects that could lead to RCE but we are not currently aware of any.
See further details in the ConsoleMe repository at Netflix/consoleme#9306
A fix is available in version v1.2.2. It is recommended that users update as soon as possible.