Remote code execution in Jinja2 template rendering in Nautobot
CVE-2023-25657

7.5HIGH

Key Information:

Vendor

Nautobot

Status
Nautobot
Vendor
CVE Published:
21 February 2023

What is CVE-2023-25657?

Nautobot, a network automation platform, has a vulnerability enabling remote code execution in versions prior to 1.5.7. Due to inadequate sandboxing in Jinja2 template rendering, users are at risk of malicious code execution. The recently released version 1.5.7 incorporates sandboxed environments for key components, mitigating risks associated with unsafe template usage. While no active exploits have been confirmed, users are strongly encouraged to upgrade to secure their instances. For immediate protection, users can enforce sandboxing in their configurations. Details on adjustments to the nautobot_config.py file and further measures to limit specific object permissions are provided for those unable to perform upgrades promptly.

Affected Version(s)

nautobot < 1.5.7

References

https://github.com/nautobot/nautobot/security/advisories/...
x_refsource_CONFIRM
https://github.com/nautobot/nautobot/commit/d47f157e83b0c...
x_refsource_MISC
https://jinja.palletsprojects.com/en/3.0.x/sandbox/#sandbox
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.