CVE-2023-27573
EUVD-2023-3132211.03.2026, 06:17
netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| netboxlabs | netbox-docker | 𝑥 < 2.5.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-1392 - Use of Default CredentialsThe product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
- CWE-798 - Use of Hard-coded CredentialsThe software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.