Yeti Platform Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A server-side template injection (SSTI) vulnerability has been identified in Yeti Platform versions 2.0 through 2.1.11. This vulnerability allows attackers to execute code on the application server via the custom template export function. The issue arises because the template content is processed on the backend without proper sanitization, enabling the execution of malicious code. Exploitation of this vulnerability could lead to unauthorized code execution on the server, with potential consequences including the manipulation or destruction of threat intelligence data.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the application server. However, due to the presence of another vulnerability (CVE-2024-46508) involving a static insecure JWT secret, this issue could be exploited to achieve unauthenticated remote code execution on servers using the default configuration.

Reproduction

To reproduce this vulnerability, first create a custom report template in Yeti Platform. The template can be exported by selecting an observable to export it with the malicious template. Once the export is initiated, a .txt file will be downloaded. This file will contain the output of the command executed through the malicious template, demonstrating the successful exploitation of the SSTI vulnerability.

Remediation

Users can update to Yeti Platform version 2.1.12, where this vulnerability has been patched.