| عنوان | ThingsBoard ThingsBoard Community Edition 3.6.2 through 4.3.1.1 Code Injection |
|---|
| الوصف | ThingsBoard's gateway docker-compose.yml generation feature (DeviceConnectivityUtil#getGatewayDockerComposeFile) inlines device
credentials into YAML output via StringBuilder concatenation without sanitization.
An attacker can inject newline characters into credential values, breaking out of the intended YAML field and injecting arbitrary
YAML nodes (e.g., entrypoint:, privileged: true) into the generated file.
Two endpoints converge on the same sink:
- POST /api/v1/provision (no JWT required, needs leaked provisioning
credentials, treated as credential-equivalent)
- POST /api/device/{deviceId}/credentials (tenant JWT required)
When the administrator runs `docker compose up` on the downloaded file, the injected entrypoint executes,
providing remote code execution inside the gateway container.
With a privileged: true payload, container escape techniques grant root access on the administrator's host
(verified by reporter via /dev/sda2 mount in test environment).
Vendor confirmed the vulnerability and published patch PR #15550 targeting CWE-93 and CWE-94,
scheduled for v4.2 LTS (x.x.x.x milestone) and v4.3 LTS releases.
Reporter-assigned CVSS v3.1 Base Score: 9.0 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Affected versions: 3.6.2 through x.x.x.x (verified on x.x.x.x)
Patched in: x.x.x.x (lts-4.2 branch), v4.3 LTS (planned)
Distinction from CVE-2025-9094: CVE-2025-9094 covers "Add Gateway Handler" with template engine issues (CWE-791/1336).
This report covers DeviceConnectivityUtil#getGatewayDockerComposeFile with StringBuilder concatenation (CWE-93/94).
Different code paths confirmed by separate patch (PR #15550).
Reporter has confidentiality agreement with vendor: technical exploit details (PoC, exploitation chain) will not be disclosed publicly until patch release. |
|---|
| المصدر | ⚠️ https://github.com/thingsboard/thingsboard/pull/15550 |
|---|
| المستخدم | sunshinetoyou (UID 97577) |
|---|
| ارسال | 01/05/2026 12:20 PM (1 شهر منذ) |
|---|
| الاعتدال | 26/05/2026 12:58 PM (25 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 365630 [ThingsBoard حتى 4.3.1.1 YAML /api/v1/provision getGatewayDockerComposeFile تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|