CVE-2023-46128

2023-10-2518:17:36

CWE-312

CWE-200

[email protected]

web.nvd.nist.gov

nautobot

network automation platform

django python framework

cve-2023-46128

security vulnerability

patched vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the ?depth=<N> query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.

Affected configurations

Vulners

NVD

Node

nautobotnautobot-plugin-device-onboardingRange2.0.0–2.0.3

VendorProductVersionCPE
nautobotnautobot\-plugin\-device\-onboarding*cpe:2.3:a:nautobot:nautobot\-plugin\-device\-onboarding:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nautobot	nautobot\-plugin\-device\-onboarding	*	cpe:2.3:a:nautobot:nautobot\-plugin\-device\-onboarding::::::::

CNA Affected

[
  {
    "vendor": "nautobot",
    "product": "nautobot",
    "versions": [
      {
        "version": ">= 2.0.0, < 2.0.3",
        "status": "affected"
      }
    ]
  }
]