Lucene search

GoogleOSV:PYSEC-2023-220

HistoryOct 25, 2023 - 6:17 p.m.

PYSEC-2023-220

2023-10-2518:17:00

Google

osv.dev

nautobot

network automation platform

django python framework

postgresql

mysql

rest api

vulnerability

patched

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the ?depth=<N> query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.

CPENameOperatorVersion
nautoboteq2.0.0
nautoboteq2.0.1
nautoboteq2.0.2

Name	Operator	Version
nautobot	eq	2.0.0
nautobot	eq	2.0.1
nautobot	eq	2.0.2

References

github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d40d71

github.com/nautobot/nautobot/pull/4692

github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

Related for OSV:PYSEC-2023-220