CVE-2023-46128

Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*

History

01 Nov 2023, 16:25

Type Values Removed Values Added
CWE CWE-312
First Time Networktocode nautobot
Networktocode
References (MISC) https://github.com/nautobot/nautobot/pull/4692 - (MISC) https://github.com/nautobot/nautobot/pull/4692 - Patch
References (MISC) https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp - (MISC) https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp - Exploit, Patch, Vendor Advisory
References (MISC) https://github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d40d71 - (MISC) https://github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d40d71 - Patch
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
CPE cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*

25 Oct 2023, 18:17

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-25 18:17

Updated : 2024-02-28 20:33


NVD link : CVE-2023-46128

Mitre link : CVE-2023-46128

CVE.ORG link : CVE-2023-46128


JSON object : View

Products Affected

networktocode

  • nautobot
CWE
CWE-312

Cleartext Storage of Sensitive Information

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor