Tandoor Recipes Jinja2 Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A server-side template injection vulnerability has been identified in Tandoor Recipes versions through 1.5.23. This vulnerability allows users to execute commands on the server via Jinja2 template syntax. In environments using the provided Docker Compose file, the commands are executed with root privileges. The issue arises because user input is unsanitized and can be crafted to exploit the template rendering process.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with potential for full server compromise. In the context of the Docker Compose file, commands are executed as the root user.

Reproduction

To reproduce this vulnerability, create a recipe and include Jinja2 template syntax in the instructions. The unsanitized input will be processed by the Jinja2 template engine, allowing for command execution on the server. For example, a payload can be crafted to execute the 'whoami' command, with the response indicating the user under which the command was executed.

Remediation

Users can upgrade to Tandoor Recipes version 1.5.24 or later, where this vulnerability has been patched.