Listen to this Post
How the CVE Works
The vulnerability arises from improper security controls in Nautobot’s Jinja2 templating engine, used in computed fields and custom links. Attackers can craft malicious templates that:
1. Expose Secrets: Retrieve sensitive data stored in Nautobot’s Secrets when rendered.
2. Bypass Permissions: Execute unauthorized Python API calls, modifying data despite role-based restrictions.
The flaw exists due to insufficient sandboxing of Jinja2 templates, allowing arbitrary code execution under the application’s context. Affected versions include Nautobot <1.6.32 and <2.4.10.
DailyCVE Form
Platform: Nautobot
Version: <1.6.32, <2.4.10
Vulnerability: Template Injection
Severity: Critical
Date: 2024-06-11
Prediction: Patch by 2024-06-25
What Undercode Say:
Exploit Analysis
1. Payload Example:
{{ self.<strong>init</strong>.<strong>globals</strong>.<strong>builtins</strong>.exec("import os; os.system('id')") }}
2. Exfiltrate Secrets:
{{ get_secret('db_password') }} Renders secret value
Protection Commands
1. Upgrade:
pip install --upgrade nautobot==2.4.10
2. Mitigation (Pre-Patch):
settings.py
RESTRICT_TEMPLATE_PERMS = {
'extras.view_secret': ['admin_only'],
'extras.change_computedfield': ['readonly_roles']
}
Detection Script (Check vulnerable versions):
import requests
response = requests.get('http://nautobot/api/status/')
if response.json()['version'] in ['1.6.31', '2.4.9']:
print("VULNERABLE")
Patch Analysis
The fix introduces:
1. Strict Sandboxing: Blocks `__globals__` and `__builtins__` access.
- Permission Validation: Verifies user role before template rendering.
Post-Patch Audit:
grep -r "jinja2.Template" /opt/nautobot/ Verify no unsafe templates
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
