Veracode Vulnerability DatabaseVERACODE:44834Incorrect Authorization
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.3%
Nautobot is vulnerable to Missing Authorization. The vulnerability is due to a lack of proper enforcement of object-level permissions when submitting a job to run. This could allow an attacker with permissions to run only a single job to run all configured JobButton Jobs.
References
github.com/nautobot/nautobot/commit/3d964f996f4926126c1d7853ca87b2ff475997a2
github.com/nautobot/nautobot/commit/d33d0c15a36948c45244e5b5e10bc79b8e62de7f
github.com/nautobot/nautobot/issues/4988
github.com/nautobot/nautobot/pull/4993
github.com/nautobot/nautobot/pull/4995
github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
21.3%