Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0
References
Link | Resource |
---|---|
https://github.com/nautobot/nautobot/issues/4988 | Issue Tracking |
https://github.com/nautobot/nautobot/pull/4993 | Issue Tracking Patch |
https://github.com/nautobot/nautobot/pull/4995 | Issue Tracking Patch |
https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999 | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
03 Jan 2024, 20:05
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:* | |
First Time |
Networktocode
Networktocode nautobot |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
References | () https://github.com/nautobot/nautobot/pull/4995 - Issue Tracking, Patch | |
References | () https://github.com/nautobot/nautobot/pull/4993 - Issue Tracking, Patch | |
References | () https://github.com/nautobot/nautobot/issues/4988 - Issue Tracking | |
References | () https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999 - Patch, Vendor Advisory |
22 Dec 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-22 17:15
Updated : 2024-02-28 20:54
NVD link : CVE-2023-51649
Mitre link : CVE-2023-51649
CVE.ORG link : CVE-2023-51649
JSON object : View
Products Affected
networktocode
- nautobot
CWE
CWE-863
Incorrect Authorization