7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
A Nautobot user with admin privileges can modify the BANNER_TOP
, BANNER_BOTTOM
, and BANNER_LOGIN
configuration settings via the /admin/constance/config/
endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of BANNER_LOGIN
) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS).
Has the problem been patched? What versions should users upgrade to?
Patches will be released as part of Nautobot 1.6.22 and 2.2.4.
Is there a way for users to fix or remediate the vulnerability without upgrading?
As described in the Nautobot documentation, these settings are only configurable through the admin UI of Nautobot if they are not explicitly set to some non-empty value in the nautobot_config.py
or equivalent Nautobot configuration file. Therefore, adding the following configuration to said file completely mitigates this vulnerability in both Nautobot 1.x and 2.x:
BANNER_LOGIN = " "
BANNER_TOP = " "
BANNER_BOTTOM = " "
or alternately (Nautobot 2.x only), if those variables are not defined explicitly in your configuration file, setting the following environment variables for the Nautobot user account serves the same purpose:
NAUTOBOT_BANNER_LOGIN=" "
NAUTOBOT_BANNER_TOP=" "
NAUTOBOT_BANNER_BOTTOM=" "
Limiting all users who do not need elevated privileges to non-admin access (is_superuser: False
and is_staff: False
) is a partial mitigation as well.
github.com/nautobot/nautobot
github.com/nautobot/nautobot/commit/4f0a66bd6307bfe0e0acb899233e0d4ad516f51c
github.com/nautobot/nautobot/commit/f640aedc69c848d3d1be57f0300fc40033ff6423
github.com/nautobot/nautobot/pull/5697
github.com/nautobot/nautobot/pull/5698
github.com/nautobot/nautobot/security/advisories/GHSA-r2hr-4v48-fjv3
nvd.nist.gov/vuln/detail/CVE-2024-34707
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%