CVE-2023-51649

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.5 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L
GitHub_MCNA
3.5 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
VendorProductVersion
networktocodenautobot
1.5.14 ≤
𝑥
< 1.6.8
networktocodenautobot
2.0.0 ≤
𝑥
< 2.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nautobot/nautobot/issues/4988
https://github.com/nautobot/nautobot/pull/4993
https://github.com/nautobot/nautobot/pull/4995
https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999
https://github.com/nautobot/nautobot/issues/4988
https://github.com/nautobot/nautobot/pull/4993
https://github.com/nautobot/nautobot/pull/4995
https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999