CVE-2025-23211

Sažetak

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24.

Reference

https://github.com/TandoorRecipes/recipes/blob/4f9bff20c858180d0f7376de443a9fe4c123a50c/cookbook/helper/template_helper.py#L95
https://github.com/TandoorRecipes/recipes/commit/e6087d5129cc9d0c24278948872377e66c2a2c20
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-r6rj-h75w-vj8v
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-r6rj-h75w-vj8v

CVSS

Base:	9.9
Impact:	6.0
Exploitability:	3.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Zadnje važnije ažuriranje

28-01-2025 - 17:15

Objavljeno

28-01-2025 - 16:15