Lucene search

GoogleOSV:GHSA-QF3C-RW9F-JH7V

HistoryNov 21, 2023 - 11:50 p.m.

Clear Text Credentials Exposed via Onboarding Task

2023-11-2123:50:02

Google

osv.dev

clear text

credentials

onboardingtask

job results

celery task

nautobot

database

upgrade

rotate

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

21.8%

JSON

Impact

When credentials are provided while creating an OnboardingTask they may be visible via the Job Results view under the Additional Data tab as args for the Celery Task execution. This only applies to OnboardingTasks that are created with credentials specified while on v2.0.0-2.0.2 of Nautobot Device Onboarding. This advisory does not apply earlier version or when using NAPALM_USERNAME & NAPALM_PASSWORD from nautobot_config.py

Patches

v3.0.0

Workarounds

None

Recommendations

Delete all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X
Upgrade to v3.0.0
Rotate any exposed credential

CPENameOperatorVersion
nautobot-device-onboardingeq2.0.3

CPE	Name	Operator	Version
	nautobot-device-onboarding	eq	2.0.3

References

github.com/nautobot/nautobot-plugin-device-onboarding

github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v

nvd.nist.gov/vuln/detail/CVE-2023-48700

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

21.8%

JSON

Related for OSV:GHSA-QF3C-RW9F-JH7V