Veracode Vulnerability DatabaseVERACODE:44649Information Disclosure
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.3 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
31.3%
nautobot is vulnerable to Information Disclosure. The vulnerability exists because the library uses django-db-file-storage by default, and it does not require any user authentication to access the database file storage. This allows an attacker to view files in the database storage and potentially perform arbitrary file downloads, as there is no URL mechanism provided for listing or traversing the available file names.
References
github.com/nautobot/nautobot/commit/458280c359a4833a20da294eaf4b8d55edc91cee
github.com/nautobot/nautobot/commit/7c4cf3137f45f1541f09f2f6a7f8850cd3a2eaee
github.com/nautobot/nautobot/pull/4959
github.com/nautobot/nautobot/pull/4964
github.com/nautobot/nautobot/security/advisories/GHSA-75mc-3pjc-727q
github.com/victor-o-silva/db_file_storage/blob/master/db_file_storage/views.py
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.3 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
31.3%