GitHub_MCVELIST:CVE-2023-51649CVE-2023-51649 Nautobot missing object-level permissions enforcement when running Job Buttons
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L
4.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.3%
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level extras.run_job permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0
CNA Affected
[
{
"vendor": "nautobot",
"product": "nautobot",
"versions": [
{
"version": ">= 1.5.14, < 1.6.8",
"status": "affected"
},
{
"version": ">= 2.0.0, < 2.1.0",
"status": "affected"
}
]
}
]Related
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L
4.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.3%