提出 #817064: ThingsBoard ThingsBoard Community Edition 3.6.2 through 4.3.1.1 Code Injection情報

タイトル	ThingsBoard ThingsBoard Community Edition 3.6.2 through 4.3.1.1 Code Injection
説明	ThingsBoard's gateway docker-compose.yml generation feature (DeviceConnectivityUtil#getGatewayDockerComposeFile) inlines device credentials into YAML output via StringBuilder concatenation without sanitization. An attacker can inject newline characters into credential values, breaking out of the intended YAML field and injecting arbitrary YAML nodes (e.g., entrypoint:, privileged: true) into the generated file. Two endpoints converge on the same sink: - POST /api/v1/provision (no JWT required, needs leaked provisioning credentials, treated as credential-equivalent) - POST /api/device/{deviceId}/credentials (tenant JWT required) When the administrator runs `docker compose up` on the downloaded file, the injected entrypoint executes, providing remote code execution inside the gateway container. With a privileged: true payload, container escape techniques grant root access on the administrator's host (verified by reporter via /dev/sda2 mount in test environment). Vendor confirmed the vulnerability and published patch PR #15550 targeting CWE-93 and CWE-94, scheduled for v4.2 LTS (x.x.x.x milestone) and v4.3 LTS releases. Reporter-assigned CVSS v3.1 Base Score: 9.0 (Critical) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Affected versions: 3.6.2 through x.x.x.x (verified on x.x.x.x) Patched in: x.x.x.x (lts-4.2 branch), v4.3 LTS (planned) Distinction from CVE-2025-9094: CVE-2025-9094 covers "Add Gateway Handler" with template engine issues (CWE-791/1336). This report covers DeviceConnectivityUtil#getGatewayDockerComposeFile with StringBuilder concatenation (CWE-93/94). Different code paths confirmed by separate patch (PR #15550). Reporter has confidentiality agreement with vendor: technical exploit details (PoC, exploitation chain) will not be disclosed publicly until patch release.
ソース	⚠️ https://github.com/thingsboard/thingsboard/pull/15550
ユーザー	sunshinetoyou (UID 97577)
送信	2026年05月01日 12:20 (1 月 ago)
モデレーション	2026年05月26日 12:58 (25 days later)
ステータス	承諾済み
VulDBエントリ	365630 [ThingsBoard 迄 4.3.1.1 YAML /api/v1/provision getGatewayDockerComposeFile 特権昇格]
ポイント	20

◂ 前概要次 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!