FKIE_CVE-2023-27573

Vulnerability from fkie_nvd - Published: 2026-03-11 06:17 - Updated: 2026-03-11 13:52
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment.
References
cve@mitre.orghttps://github.com/netbox-community/netbox-docker/issues/953
cve@mitre.orghttps://github.com/netbox-community/netbox-docker/pull/959
cve@mitre.orghttps://github.com/netbox-community/netbox-docker/releases/tag/2.5.0
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in an effort to repurpose netbox-docker for production. The documentation for this effort stated that the defaults must not be used. However, installation did not ensure non-default values. The Supplier was aware of the CVE ID assignment and did not object to the assignment."
    },
    {
      "lang": "es",
      "value": "netbox-docker anterior a la versi\u00f3n 2.5.0 tiene una cuenta de superusuario con credenciales predeterminadas (contrase\u00f1a \u0027admin\u0027 para la cuenta \u0027admin\u0027, y el valor 0123456789abcdef0123456789abcdef01234567 para SUPERUSER_API_TOKEN). En la pr\u00e1ctica, en la Internet p\u00fablica, casi todos los usuarios cambiaron la contrase\u00f1a, pero solo alrededor del 90% cambi\u00f3 el token. Tener un valor de token predeterminado fue intencional y fue valioso para el caso de uso principal previsto del producto netbox-docker (redes de desarrollo aisladas). Algunos usuarios se embarcaron en un esfuerzo para reutilizar netbox-docker para producci\u00f3n. La documentaci\u00f3n para este esfuerzo indicaba que los valores predeterminados no deb\u00edan usarse. Sin embargo, la instalaci\u00f3n no garantizaba valores no predeterminados. El Proveedor estaba al tanto de la asignaci\u00f3n del ID de CVE y no se opuso a la asignaci\u00f3n."
    }
  ],
  "id": "CVE-2023-27573",
  "lastModified": "2026-03-11T13:52:47.683",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "cve@mitre.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-11T06:17:11.933",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/netbox-community/netbox-docker/issues/953"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/netbox-community/netbox-docker/pull/959"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/netbox-community/netbox-docker/releases/tag/2.5.0"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1392"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.