CVE-2023-51649

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*
cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*

History

03 Jan 2024, 20:05

Type Values Removed Values Added
CPE cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*
First Time Networktocode
Networktocode nautobot
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3
References () https://github.com/nautobot/nautobot/pull/4995 - () https://github.com/nautobot/nautobot/pull/4995 - Issue Tracking, Patch
References () https://github.com/nautobot/nautobot/pull/4993 - () https://github.com/nautobot/nautobot/pull/4993 - Issue Tracking, Patch
References () https://github.com/nautobot/nautobot/issues/4988 - () https://github.com/nautobot/nautobot/issues/4988 - Issue Tracking
References () https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999 - () https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999 - Patch, Vendor Advisory

22 Dec 2023, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-22 17:15

Updated : 2024-02-28 20:54


NVD link : CVE-2023-51649

Mitre link : CVE-2023-51649

CVE.ORG link : CVE-2023-51649


JSON object : View

Products Affected

networktocode

  • nautobot
CWE
CWE-863

Incorrect Authorization