CVE-2023-25657: Nautobot vulnerable to remote code execution via Jinja2 template rendering
(updated )
What kind of vulnerability is it? Who is impacted?
All users of Nautobot versions earlier than 1.5.7 are impacted.
In Nautobot 1.5.7 we have enabled sandboxed environments for the Jinja2 template engine used internally for template rendering for the following objects:
extras.ComputedFieldextras.CustomLinkextras.ExportTemplateextras.Secretextras.Webhook
While we are not aware of any active exploits, we have made this change as a preventative measure to protect against any potential remote code execution attacks utilizing maliciously crafted template code.
This change forces the Jinja2 template engine to use a SandboxedEnvironment on all new installations of Nautobot.
This addresses any potential unsafe code execution everywhere the helper function nautobot.utilities.utils.render_jinja2 is called. Additionally, our documentation that was previously suggesting the direct use of jinja2.Template has been revised to utilize render_jinja2.
References
- docs.nautobot.com/projects/core/en/stable/release-notes/version-1.5/
- github.com/advisories/GHSA-8mfq-f5wj-vw5m
- github.com/nautobot/nautobot
- github.com/nautobot/nautobot/commit/d47f157e83b0c353bb2b697f911882c71cf90ca0
- github.com/nautobot/nautobot/security/advisories/GHSA-8mfq-f5wj-vw5m
- github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-37.yaml
- jinja.palletsprojects.com/en/3.0.x/sandbox/
- nvd.nist.gov/vuln/detail/CVE-2023-25657
Detect and mitigate CVE-2023-25657 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →