Netbox | CVE-2024-23778

A critical security vulnerability, CVE-2024-23778, has been identified in NetBox version 3.7.0, enabling Remote Code Execution (RCE) through the execution of arbitrary commands within authentication customization scripts. This vulnerability poses a severe risk as attackers can manipulate the customization script to execute malicious commands, potentially compromising the security and integrity of the application. The vulnerability arises from inadequate validation of user-provided input in authentication customization scripts, allowing attackers to inject and execute arbitrary commands, leading to unauthorized access, data manipulation, and potential compromise of the underlying system. The steps to reproduce the vulnerability include accessing the authentication customization functionality, injecting a malicious command into the customization script, saving the changes, triggering the execution of the script, and observing the successful execution of the injected command and potential compromise of the system. This remote attack vector could be exploited with just a username and password, underscoring the urgency of addressing this vulnerability.