Sunshinetoyou

**Name of the Vulnerable Software and Affected Versions** ThingsBoard versions prior to 4.3.1.2 **Description** A code injection flaw exists in the YAML Handler component. The issue is located within the `getGatewayDockerComposeFile()` function of the '/api/v1/provision' endpoint. This allows a remote attacker to inject code, although the attack complexity is high and exploitation is considered difficult. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/api/v1/provision' endpoint or disable the `getGatewayDockerComposeFile()` function to minimize the risk of exploitation.