NetBox-Docker Default Superuser Credentials Vulnerability

A vulnerability exists in NetBox-Docker versions prior to 2.5.0, where a superuser account is created with default credentials. The admin account is set to 'admin' for both username and password, and the SUPERUSER_API_TOKEN is hardcoded with a specific value. While most users change the password, only about 90% update the token. This default token was intentionally included for development purposes, but has been overlooked by some users who deployed NetBox-Docker in production. The issue arises because the installation process does not enforce the use of non-default values, leaving some instances with the original credentials.

Impact

Exploitation of this vulnerability allows unauthorized access to the NetBox API with superuser privileges, potentially leading to unauthorized data manipulation or access.

Reproduction

Deploy NetBox-Docker version prior to 2.5.0. After installation, the default superuser credentials can be used to access the application. This includes the username 'admin', the password 'admin', and the SUPERUSER_API_TOKEN '0123456789abcdef0123456789abcdef01234567'.

Remediation

Users can upgrade to NetBox-Docker version 2.5.0 or later, where this vulnerability has been addressed by removing the default superuser credentials. Instructions for upgrading can be found in the NetBox-Docker repository.