Netaxis API Orchestrator Server-Side Template Injection Vulnerability Allowing Remote Code Execution
Vulnerability
A server-side template injection vulnerability has been identified in Netaxis API Orchestrator (APIO) versions prior to 0.19.3. This vulnerability allows user-controlled input to be parsed and executed by the server's template engine, Jinja2, leading to remote code execution. The issue was discovered by probing the application's template rendering behavior and exploiting the evaluation of arithmetic expressions within template delimiters.
Impact
Exploitation of this vulnerability allows for remote code execution on the server, with the application backend running with root privileges.
Reproduction
The vulnerability can be reproduced by sending input to the '/help/template-playground' endpoint, which is intended for users to test scripts before deploying them. After confirming that the server-side template engine does not sanitize input, the vulnerability can be exploited by injecting template syntax probes. Once the server acknowledges the input as template syntax, this confirms the presence of server-side template injection. The exploitation involves injecting expressions that, when evaluated, execute arbitrary code on the server.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.