SCA: security update for nautobot (GHSA-8mfq-f5wj-vw5m)

high Tenable Cloud Security Plugin ID 412757

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions
earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly
sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed environments for the Jinja2
template engine used internally for template rendering for the following objects: `extras.ComputedField`,
`extras.CustomLink`, `extras.ExportTemplate`, `extras.Secret`, `extras.Webhook`. While no active exploits
of this vulnerability are known this change has been made as a preventative measure to protect against any
potential remote code execution attacks utilizing maliciously crafted template code. This change forces
the Jinja2 template engine to use a `SandboxedEnvironment` on all new installations of Nautobot. This
addresses any potential unsafe code execution everywhere the helper function
`nautobot.utilities.utils.render_jinja2` is called. Additionally, the documentation that had previously
suggesting the direct use of `jinja2.Template` has been revised to suggest `render_jinja2`. Users are
advised to upgrade to Nautobot 1.5.7 or newer. For users that are unable to upgrade to the latest release
of Nautobot, you may add the following setting to your `nautobot_config.py` to apply the sandbox
environment enforcement: `TEMPLATES[1]["OPTIONS"]["environment"] = "jinja2.sandbox.SandboxedEnvironment"`
After applying this change, you must restart all Nautobot services, including any Celery worker processes.
**Note:** *Nautobot specifies two template engines by default, the first being “django” for the Django
built-in template engine, and the second being “jinja” for the Jinja2 template engine. This recommended
setting will update the second item in the list of template engines, which is the Jinja2 engine.* For
users that are unable to immediately update their configuration such as if a Nautobot service restart is
too disruptive to operations, access to provide custom Jinja2 template values may be mitigated using
permissions to restrict “change” (write) actions to the affected object types listed in the first section.
**Note:** *This solution is intended to be stopgap until you can successfully update your
`nautobot_config.py` or upgrade your Nautobot instance to apply the sandboxed environment enforcement.*
(CVE-2023-25657)

See Also

https://github.com/advisories/GHSA-8mfq-f5wj-vw5m

Plugin Details

Severity: High

ID: 412757

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-25657

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.7

Threat Score: 5.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/22/2023

Vulnerability Publication Date: 2/21/2023

Reference Information

CVE: CVE-2023-25657

cwe: CWE-94