Lucene search

Veracode Vulnerability DatabaseVERACODE:39428

HistoryFeb 26, 2023 - 4:51 p.m.

Remote Code Execution (RCE)

2023-02-2616:51:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

remote code execution

nautobot

vulnerability

jinja2

template engine

sandbox

computedfield

customlink

exporttemplate

secret

webhook

template code

render_jinja2

helper function

security

0.008 Low

EPSS

Percentile

81.9%

JSON

nautobot is vulnerable to Remote Code Execution (RCE). The vulnerability is due to improper sandboxing of environments for the Jinja2 template engine when used internally for template rendering for objects like extras.ComputedField,extras.CustomLink, extras.ExportTemplate, extras.Secret and extras.Webhook which allows an attacker to inject and execute maliciously crafted template code through the nautobot.utilities.utils.render_jinja2 helper function

CPENameOperatorVersion
nautobotle1.5.6
nautobotle1.5.6

CPE	Name	Operator	Version
	nautobot	le	1.5.6
	nautobot	le	1.5.6

References

github.com/nautobot/nautobot/commit/d47f157e83b0c353bb2b697f911882c71cf90ca0

github.com/nautobot/nautobot/pull/3074

github.com/nautobot/nautobot/security/advisories/GHSA-8mfq-f5wj-vw5m

jinja.palletsprojects.com/en/3.0.x/sandbox/#sandbox

0.008 Low

EPSS

Percentile

81.9%

JSON

Related for VERACODE:39428