CVE-2023-25657 – Remote code execution in Jinja2 template rendering in Nautobot

https://notcve.org/view.php?id=CVE-2023-25657

Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed environments for the Jinja2 template engine used internally for template rendering for the following objects: `extras.ComputedField`, `extras.CustomLink`, `extras.ExportTemplate`, `extras.Secret`, `extras.Webhook`. While no active exploits of this vulnerability are known this change has been made as a preventative measure to protect against any potential remote code execution attacks utilizing maliciously crafted template code. • https://github.com/nautobot/nautobot/commit/d47f157e83b0c353bb2b697f911882c71cf90ca0 https://github.com/nautobot/nautobot/security/advisories/GHSA-8mfq-f5wj-vw5m https://jinja.palletsprojects.com/en/3.0.x/sandbox/#sandbox • CWE-94: Improper Control of Generation of Code ('Code Injection') •