Listmonk Template Injection Vulnerability Allowing Environment Variable Access
Vulnerability
A critical template injection vulnerability has been identified in Listmonk, a self-hosted newsletter and mailing list manager. This issue affects versions 4.0.0 prior to 5.0.2. The vulnerability arises from the default inclusion of the 'env' and 'expandenv' template functions from the Sprig library, which allow access to environment variables on the host. In multi-user installations, this enables non-super-admin users with campaign or template permissions to capture sensitive environment data, such as database credentials and SMTP passwords, by using the '{{ env }}' template expression. The vulnerability is particularly concerning in the campaign preview functionality, where affected users can execute template content that accesses environment variables, leading to potential exposure of critical system data.
Impact
Exploitation of this vulnerability allows for unauthorized access to sensitive environment variables, which can include database credentials, SMTP passwords, and admin credentials. This access could lead to a full compromise of the database, cloud accounts, and overall system integrity, depending on the specific environment variable contents.
Reproduction
To reproduce this vulnerability, create a user with 'campaigns:get' and 'campaigns:get_all' privileges. Log in as this user and navigate to any campaign's content section. Here, the vulnerability can be exploited by entering '{{ env "AWS_KEY" }}', '{{ env "LISTMONK_db__user" }}', and '{{ env "LISTMONK_db__password" }}' into the text field and pressing 'Preview'. This action will trigger the template functions, accessing and displaying the specified environment variable values, thereby demonstrating the vulnerability.
Remediation
Users are advised to upgrade to Listmonk version 5.0.2, which removes the 'env' and 'expandenv' functions from the Sprig template library, preventing access to environment variables from within templates. Instructions for upgrading are available on the Listmonk GitHub release page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.