Gửi #817064: ThingsBoard ThingsBoard Community Edition 3.6.2 through 4.3.1.1 Code Injectionthông tin

tiêu đề	ThingsBoard ThingsBoard Community Edition 3.6.2 through 4.3.1.1 Code Injection
Mô tả	ThingsBoard's gateway docker-compose.yml generation feature (DeviceConnectivityUtil#getGatewayDockerComposeFile) inlines device credentials into YAML output via StringBuilder concatenation without sanitization. An attacker can inject newline characters into credential values, breaking out of the intended YAML field and injecting arbitrary YAML nodes (e.g., entrypoint:, privileged: true) into the generated file. Two endpoints converge on the same sink: - POST /api/v1/provision (no JWT required, needs leaked provisioning credentials, treated as credential-equivalent) - POST /api/device/{deviceId}/credentials (tenant JWT required) When the administrator runs `docker compose up` on the downloaded file, the injected entrypoint executes, providing remote code execution inside the gateway container. With a privileged: true payload, container escape techniques grant root access on the administrator's host (verified by reporter via /dev/sda2 mount in test environment). Vendor confirmed the vulnerability and published patch PR #15550 targeting CWE-93 and CWE-94, scheduled for v4.2 LTS (x.x.x.x milestone) and v4.3 LTS releases. Reporter-assigned CVSS v3.1 Base Score: 9.0 (Critical) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Affected versions: 3.6.2 through x.x.x.x (verified on x.x.x.x) Patched in: x.x.x.x (lts-4.2 branch), v4.3 LTS (planned) Distinction from CVE-2025-9094: CVE-2025-9094 covers "Add Gateway Handler" with template engine issues (CWE-791/1336). This report covers DeviceConnectivityUtil#getGatewayDockerComposeFile with StringBuilder concatenation (CWE-93/94). Different code paths confirmed by separate patch (PR #15550). Reporter has confidentiality agreement with vendor: technical exploit details (PoC, exploitation chain) will not be disclosed publicly until patch release.
Nguồn	⚠️ https://github.com/thingsboard/thingsboard/pull/15550
Người dùng	sunshinetoyou (UID 97577)
Đệ trình	01/05/2026 12:20 (cách đây 1 tháng)
Kiểm duyệt	26/05/2026 12:58 (25 days later)
Trạng thái	được chấp nhận
Mục VulDB	365630 [ThingsBoard đến 4.3.1.1 YAML /api/v1/provision getGatewayDockerComposeFile nâng cao đặc quyền]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Want to know what is going to be exploited?

We predict KEV entries!