Description
A bug made it possible for an authenticated user to save user-controlled content for a search template without validation. This could result in an (authenticated) RCE. This functionality is not enabled in the UI so the API client had to be used.
Note: The user have to be authenticated in order to take advantage of this vulnerability.
This bug was introduced with the new Search template functionality using Jinja2 templates. The API endpoint was not removed.
How to check your deployment:
- Check logs for POST requests to
/api/v1/searchtemplates/ - Check the SQL database for any user submitted search templates
More information on SSTI: https://portswigger.net/research/server-side-template-injection
This is mitigated from release 20230518. We disabled the ability to upload new search templates via the API (only server admins can add templates using YAML imports). See PR for details: #2750