Unauthenticated views may expose information to anonymous users

Impact

A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following:

• /api/graphql/ (1)
• /api/users/users/session/ (Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes are enabled on this Nautobot instance)
• /dcim/racks/<uuid:pk>/dynamic-groups/ (1)
• /dcim/devices/<uuid:pk>/dynamic-groups/ (1)
• /extras/job-results/<uuid:pk>/log-table/
• /extras/secrets/provider/<str:provider_slug>/form/ (the only information exposed to an anonymous user is the fact that a secrets provider with the given slug (e.g. environment-variable or text-file) is supported by this Nautobot instance)
• /ipam/prefixes/<uuid:pk>/dynamic-groups/ (1)
• /ipam/ip-addresses/<uuid:pk>/dynamic-groups/ (1)
• /virtualization/clusters/<uuid:pk>/dynamic-groups/ (1)
• /virtualization/virtual-machines/<uuid:pk>/dynamic-groups/ (1)

(1) These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users.

Of these endpoints, the only one that poses any significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration is /extras/job-results/<uuid:pk>/log-table/. This endpoint returns an HTML table containing all of the logs associated with the specified JobResult; while these logs may contain sensitive information depending on the Jobs executed in Nautobot, this exposure is mitigated somewhat by the fact that any attacker would have to have prior knowledge of the existence of a JobResult with a particular UUID.

In the interest of full disclosure, the following additional endpoints were also accessible to anonymous users, but do not disclose any sensitive data when accessed (only a listing of other API endpoints).

• /api/
• /api/circuits/
• /api/dcim/
• /api/extras/
• /api/ipam/
• /api/plugins/
• /api/tenancy/
• /api/users/
• /api/virtualization/

All of the above endpoints have been corrected to require user authentication, with the exception of /api/users/users/session/ which is unused at this time and therefore has been simply removed from Nautobot 2.1.9. Additionally, we have added test automation which enumerates available Nautobot URL endpoints and verifies that appropriate authentication requirements are in place; this test was instrumental in identifying the above comprehensive list.

Patches

Fixes will be included in Nautobot 1.6.16 and 2.1.9.

Workarounds

Partial workaround: If your configuration includes a non-default value for EXEMPT_VIEW_PERMISSIONS (the Nautobot default is an empty list), reverting it to default will prevent exposure of Nautobot information to unauthenticated users via the endpoints marked with (1) above.

References

Are there any links users can visit to find out more?