Vulnerability Description
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Networktocode | Nautobot | >= 1.5.14, < 1.6.8 |
Related Weaknesses (CWE)
References
- https://github.com/nautobot/nautobot/issues/4988Issue Tracking
- https://github.com/nautobot/nautobot/pull/4993Issue TrackingPatch
- https://github.com/nautobot/nautobot/pull/4995Issue TrackingPatch
- https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999PatchVendor Advisory
- https://github.com/nautobot/nautobot/issues/4988Issue Tracking
- https://github.com/nautobot/nautobot/pull/4993Issue TrackingPatch
- https://github.com/nautobot/nautobot/pull/4995Issue TrackingPatch
- https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999PatchVendor Advisory
FAQ
What is CVE-2023-51649?
CVE-2023-51649 is a vulnerability with a CVSS score of 3.5 (LOW). Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via ...
How severe is CVE-2023-51649?
CVE-2023-51649 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-51649?
Check the references section above for vendor advisories and patch information. Affected products include: Networktocode Nautobot.