Summary
Yeti is subject to a remote code execution vulnerability. The remote code execution arises from the ability to create custom templates. An authenticated user can create a template with specifically crafted strings to remotely execute arbitrary code on the server.
Impact
An authenticated user could upload a specially crafted template, that when executed in the context of an export, could provide arbitrary code execution on the worker node executing the export.
Affected versions
Versions prior to 2.1.12 are affected by this vulnerability. The patch is included in 2.1.12.
chebuya Reporter
Summary
Yeti is subject to a remote code execution vulnerability. The remote code execution arises from the ability to create custom templates. An authenticated user can create a template with specifically crafted strings to remotely execute arbitrary code on the server.
Impact
An authenticated user could upload a specially crafted template, that when executed in the context of an export, could provide arbitrary code execution on the worker node executing the export.
Affected versions
Versions prior to 2.1.12 are affected by this vulnerability. The patch is included in 2.1.12.