Nautobot missing object-level permissions enforcement when running Job Buttons

Impact When submitting a Job to run via a Job Button, only the model-level extras.runjob permission is checked i.e., does the user have permission to run Jobs in general?. Object-level permissions i.e., does the user have permission to run this specific Job? are not enforced by the URL/view used ...

Code injection

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level extras.runjob permission is checked i.e., does the user have...

PYSEC-2023-287

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level extras.runjob permission is checked i.e., does the user have...

CVE-2023-51649 Nautobot missing object-level permissions enforcement when running Job Buttons

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level extras.runjob permission is checked i.e., does the user have...

CVE-2023-51649

CVE-2023-51649 affects Nautobot, a Django-based network automation platform. The issue: when submitting a Job via a Job Button, only the model-level extras.run_job permission is enforced; object-level permissions (permission to run a specific Job) are not checked by the relevant URL/view. Result:...

Nautobot Security Vulnerability

Nautobot is a web automation platform from the individual developers of Nautobot. A security vulnerability exists in Nautobot version 1.5.14 and earlier, which stems from not checking object-level permissions when submitting a job to be run via the Job Button...