Vulnerability Description
Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Networktocode | Nautobot | >= 2.0.0, < 2.0.3 |
Related Weaknesses (CWE)
References
- https://github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d4Patch
- https://github.com/nautobot/nautobot/pull/4692Patch
- https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqpExploitPatchVendor Advisory
- https://github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d4Patch
- https://github.com/nautobot/nautobot/pull/4692Patch
- https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqpExploitPatchVendor Advisory
FAQ
What is CVE-2023-46128?
CVE-2023-46128 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination...
How severe is CVE-2023-46128?
CVE-2023-46128 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-46128?
Check the references section above for vendor advisories and patch information. Affected products include: Networktocode Nautobot.