Remote Code Execution using Server Side Template Injection

High

gmazoyer published GHSA-q37x-qfrx-jcv6

Mar 12, 2024

Package

peering-manager/peering-manager (git)

Affected versions

<=1.8.2

Patched versions

1.8.3

peeringmanager/peering-manager (docker)

<=1.8.2

1.8.3

Description

Summary

There is a Server Side Template Injection vulnerability that leads to Remote Code Execution in Peering Manager <=1.8.2.

Impact

Arbitrary commands can be executed on the operating system that is running Peering Manager.

Suggestions

Update to version 1.8.3 where a sandbox is used for jinja templates.
As now mentioned in the documentation, sandboxing is not a guaranteed protection. Always check any code before using it in your instance.

Further References

Severity

High

8.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N