Information Disclosure Vulnerability in Dependency-Track by DependencyTrack
CVE-2025-27137

4.4MEDIUM

Key Information:

Vendor
Dependencytrack
Status
Dependency-track
Vendor
CVE Published:
24 February 2025

Summary

Dependency-Track, a component analysis platform, has a vulnerability that allows users with the SYSTEM_CONFIGURATION permission to create notification templates containing the Pebble template engine's 'include' tag. This could lead to the inclusion of sensitive local files, such as '/etc/passwd' or '/proc/1/environ', thus exposing critical data. The issue is addressed in version 4.12.6, where the 'include' tag is disabled. Users are advised to restrict SYSTEM_CONFIGURATION permission to trusted personnel only to mitigate potential risks.

Affected Version(s)

dependency-track < 4.12.6

References

https://github.com/DependencyTrack/dependency-track/secur...
x_refsource_CONFIRM
https://github.com/JLLeitschuh/security-research/security...
x_refsource_MISC
https://github.com/PebbleTemplates/pebble/issues/680
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.