Dependency-Track Local File Inclusion Vulnerability in Notification Templates

A local file inclusion vulnerability has been identified in Dependency-Track versions prior to 4.12.6. The issue arises in the Pebble template engine, which allows users with the 'SYSTEM_CONFIGURATION' permission to create custom notification templates. These templates can include sensitive local files, such as '/etc/passwd' or '/proc/1/environ', by using the 'include' tag. When such a template is configured for a notification rule and sent to a controlled destination, it can leak sensitive information.

Impact

Exploitation of this vulnerability allows for arbitrary local file inclusion, enabling the inclusion of files from the local filesystem into the template output. This could result in the leakage of sensitive information, including access to environment variables through the '/proc' filesystem.

Reproduction

To reproduce this vulnerability, create a notification template using the Pebble template engine's 'include' tag to reference a sensitive local file. Assign this template to a notification rule and send it to a destination you control. The included file's contents will be leaked through the notification.

Remediation

The vulnerability has been fixed in Dependency-Track version 4.12.6. In this version, the 'include' tag is disabled, preventing the inclusion of local files in templates. As a workaround, avoid granting the 'SYSTEM_CONFIGURATION' permission to untrusted users.