Lucene search

Veracode Vulnerability DatabaseVERACODE:43970

HistoryOct 25, 2023 - 6:08 a.m.

Password Disclsosure

2023-10-2506:08:41

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

nautobot

vulnerability

utils.py

hashed passwords

rest api

exploit

depth query parameter

software

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

22.9%

JSON

nautobot is vulnerable to Password Disclosure. The vulnerability is due to the fact that the utils.py does not correctly inherit all the necessary Meta attributes from the base serializer. This flaw permits an authenticated attacker to access hashed user passwords stored in the database through REST API endpoints. This exploit can be combined with the use of the ?depth= query parameter.

CPENameOperatorVersion
nautobotle2.0.2
nautobotle2.0.2

CPE	Name	Operator	Version
	nautobot	le	2.0.2
	nautobot	le	2.0.2

References

github.com/advisories/GHSA-r2hw-74xv-4gqp

github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d40d71

github.com/nautobot/nautobot/pull/4692

github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

22.9%

JSON

Related for VERACODE:43970