Nixpkgs security tracker
8.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored reference https://w…
- @LeSuisse ignored package netbox_4_2
NetBox 4.3.5 - 4.5.4 RCE via RenderTemplateMixin
NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user.
References
-
-
https://github.com/netbox-community/netbox/issues/22079 issue-tracking
-
https://github.com/netbox-community/netbox/pull/22078 issue-tracking
Ignored references (1)
-
https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin third-party-advisory
Affected products
- =<4.5.4
Matching in nixpkgs
pkgs.netbox
IP address management (IPAM) and data center infrastructure management (DCIM) tool
pkgs.netbox_4_3
IP address management (IPAM) and data center infrastructure management (DCIM) tool
pkgs.netbox_4_4
IP address management (IPAM) and data center infrastructure management (DCIM) tool
pkgs.netbox_4_5
IP address management (IPAM) and data center infrastructure management (DCIM) tool
pkgs.netbox2netshot
Inventory synchronization tool between Netbox and Netshot
pkgs.pkgsRocm.netbox
IP address management (IPAM) and data center infrastructure management (DCIM) tool
pkgs.pkgsRocm.netbox_4_4
IP address management (IPAM) and data center infrastructure management (DCIM) tool
pkgs.python312Packages.pynetbox
API client library for Netbox
pkgs.python313Packages.pynetbox
API client library for Netbox
pkgs.python314Packages.pynetbox
API client library for Netbox
pkgs.python312Packages.netbox-bgp
NetBox plugin for BGP related objects documentation
pkgs.python312Packages.netbox-dns
Netbox plugin for managing DNS data
pkgs.python313Packages.netbox-bgp
NetBox plugin for BGP related objects documentation
pkgs.python313Packages.netbox-dns
Netbox plugin for managing DNS data
pkgs.python314Packages.netbox-bgp
NetBox plugin for BGP related objects documentation
pkgs.python314Packages.netbox-dns
Netbox plugin for managing DNS data
pkgs.python312Packages.netbox-qrcode
Netbox plugin for generate QR codes for objects: Rack, Device, Cable
pkgs.python313Packages.netbox-qrcode
Netbox plugin for generate QR codes for objects: Rack, Device, Cable
pkgs.python314Packages.netbox-qrcode
Netbox plugin for generate QR codes for objects: Rack, Device, Cable
pkgs.python312Packages.netbox-routing
NetBox plugin for tracking all kinds of routing information
pkgs.python313Packages.netbox-routing
NetBox plugin for tracking all kinds of routing information
pkgs.python314Packages.netbox-routing
NetBox plugin for tracking all kinds of routing information
pkgs.python313Packages.netbox-contract
Contract plugin for netbox
pkgs.python312Packages.netbox-documents
Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox
pkgs.python313Packages.netbox-documents
Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox
pkgs.python314Packages.netbox-documents
Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox
pkgs.pkgsRocm.python3Packages.netbox-bgp
NetBox plugin for BGP related objects documentation
pkgs.python312Packages.netbox-reorder-rack
NetBox plugin to allow users to reorder devices within a rack using a drag and drop UI
pkgs.python313Packages.netbox-reorder-rack
NetBox plugin to allow users to reorder devices within a rack using a drag and drop UI
pkgs.python314Packages.netbox-reorder-rack
NetBox plugin to allow users to reorder devices within a rack using a drag and drop UI
pkgs.pkgsRocm.python3Packages.netbox-qrcode
Netbox plugin for generate QR codes for objects: Rack, Device, Cable
pkgs.python313Packages.netbox-napalm-plugin
Netbox plugin for Napalm integration
pkgs.pkgsRocm.python3Packages.netbox-routing
NetBox plugin for tracking all kinds of routing information
pkgs.python313Packages.netbox-topology-views
Netbox plugin for generate topology views/maps from your devices
pkgs.terraform-providers.e-breuninger_netbox
None
pkgs.pkgsRocm.python3Packages.netbox-contract
Contract plugin for netbox
pkgs.pkgsRocm.python3Packages.netbox-documents
Plugin designed to faciliate the storage of site, circuit, device type and device specific documents within NetBox
pkgs.python313Packages.netbox-floorplan-plugin
Netbox plugin providing floorplan mapping capability for locations and sites
pkgs.pkgsRocm.python3Packages.netbox-reorder-rack
NetBox plugin to allow users to reorder devices within a rack using a drag and drop UI
pkgs.pkgsRocm.python3Packages.netbox-napalm-plugin
Netbox plugin for Napalm integration
pkgs.python312Packages.netbox-plugin-prometheus-sd
Netbox plugin to provide Netbox entires to Prometheus HTTP service discovery
pkgs.python313Packages.netbox-plugin-prometheus-sd
Netbox plugin to provide Netbox entires to Prometheus HTTP service discovery
pkgs.python314Packages.netbox-plugin-prometheus-sd
Netbox plugin to provide Netbox entires to Prometheus HTTP service discovery
pkgs.pkgsRocm.python3Packages.netbox-topology-views
Netbox plugin for generate topology views/maps from your devices
pkgs.pkgsRocm.python3Packages.netbox-floorplan-plugin
Netbox plugin providing floorplan mapping capability for locations and sites
pkgs.python312Packages.netbox-interface-synchronization
Netbox plugin to compare and synchronize interfaces between devices and device types
pkgs.python313Packages.netbox-interface-synchronization
Netbox plugin to compare and synchronize interfaces between devices and device types
pkgs.python314Packages.netbox-interface-synchronization
Netbox plugin to compare and synchronize interfaces between devices and device types
pkgs.pkgsRocm.python3Packages.netbox-plugin-prometheus-sd
Netbox plugin to provide Netbox entires to Prometheus HTTP service discovery
pkgs.pkgsRocm.python3Packages.netbox-interface-synchronization
Netbox plugin to compare and synchronize interfaces between devices and device types
Ignored packages (1)
pkgs.netbox_4_2
IP address management (IPAM) and data center infrastructure management (DCIM) tool
Package maintainers
-
@RaitoBezarius Ryan Lahfa <ryan@lahfa.xyz>
-
@minijackson Rémi Nicole <minijackson@riseup.net>
-
@transcaffeine transcaffeine <transcaffeine@finally.coffee>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@felbinger Nico Felbinger <nico@felbinger.eu>
-
@benley Benjamin Staffin <benley@gmail.com>
-
@Chaostheorie Cobalt <cobalt@cobalt.rocks>
-
@xanderio Alexander Sieg <alex@xanderio.de>