Vulnerability-Lookup

CVE-2023-51649 (GCVE-0-2023-51649)

Vulnerability from cvelistv5 – Published: 2023-12-22 16:48 – Updated: 2024-08-02 22:40

Title

Nautobot missing object-level permissions enforcement when running Job Buttons

Summary

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0

Severity ?

3.5 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	nautobot	nautobot	Affected: >= 1.5.14, < 1.6.8 Affected: >= 2.0.0, < 2.1.0

FKIE_CVE-2023-51649

Vulnerability from fkie_nvd - Published: 2023-12-22 17:15 - Updated: 2024-11-21 08:38

Severity ?

3.5 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/nautobot/nautobot/issues/4988	Issue Tracking
security-advisories@github.com	https://github.com/nautobot/nautobot/pull/4993	Issue Tracking, Patch
security-advisories@github.com	https://github.com/nautobot/nautobot/pull/4995	Issue Tracking, Patch
security-advisories@github.com	https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/issues/4988	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/pull/4993	Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/pull/4995	Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999	Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	networktocode	nautobot	*
	networktocode	nautobot	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "882A82E9-9E77-42C7-9BF0-B9043343580F",
              "versionEndExcluding": "1.6.8",
              "versionStartIncluding": "1.5.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FAFB640A-21BF-41F2-B824-50336FF393B0",
              "versionEndExcluding": "2.1.0",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0 "
    },
    {
      "lang": "es",
      "value": "Nautobot es una Network Automation Platform y Network Source of Truth creada como una aplicaci\u00f3n web sobre el framework Django Python con una base de datos PostgreSQL o MySQL. Al enviar un Job para ejecutar a trav\u00e9s de un bot\u00f3n de Job, solo se verifica el permiso `extras.run_job` a nivel de modelo (es decir, si el usuario tiene permiso para ejecutar Jobs en general). Los permisos a nivel de objeto (es decir, \u00bftiene el usuario permiso para ejecutar este trabajo espec\u00edfico?) no se aplican mediante la URL/vista utilizada en este caso. Un usuario con permisos para ejecutar incluso un solo Job puede ejecutar todos los Jobs de JobButton configurados. La soluci\u00f3n estar\u00e1 disponible en Nautobot 1.6.8 y 2.1.0"
    }
  ],
  "id": "CVE-2023-51649",
  "lastModified": "2024-11-21T08:38:32.163",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-22T17:15:10.197",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/nautobot/nautobot/issues/4988"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/pull/4993"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/pull/4995"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/nautobot/nautobot/issues/4988"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/pull/4993"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/pull/4995"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

PYSEC-2023-287

Vulnerability from pysec - Published: 2023-12-22 17:15 - Updated: 2024-11-21 14:22

Details

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level extras.run_job permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Impacted products

Name	purl
nautobot	pkg:pypi/nautobot

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot",
        "purl": "pkg:pypi/nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.0"
            },
            {
              "introduced": "1.5.14"
            },
            {
              "fixed": "1.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.5.14",
        "1.5.15",
        "1.5.16",
        "1.5.17",
        "1.5.18",
        "1.5.19",
        "1.5.20",
        "1.5.21",
        "1.5.22",
        "1.5.23",
        "1.5.24",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.6.5",
        "1.6.6",
        "1.6.7",
        "2.0.0",
        "2.0.1",
        "2.0.2",
        "2.0.3",
        "2.0.4",
        "2.0.5",
        "2.0.6",
        "2.1.0b1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-51649",
    "GHSA-vf5m-xrhm-v999"
  ],
  "details": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0 ",
  "id": "PYSEC-2023-287",
  "modified": "2024-11-21T14:22:55.764934+00:00",
  "published": "2023-12-22T17:15:00+00:00",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/nautobot/nautobot/issues/4988"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/nautobot/nautobot/pull/4993"
    },
    {
      "type": "FIX",
      "url": "https://github.com/nautobot/nautobot/pull/4993"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/nautobot/nautobot/pull/4995"
    },
    {
      "type": "FIX",
      "url": "https://github.com/nautobot/nautobot/pull/4995"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VF5M-XRHM-V999

Vulnerability from github – Published: 2023-12-22 19:51 – Updated: 2024-11-22 18:15

Summary

Nautobot missing object-level permissions enforcement when running Job Buttons

Details

Impact

When submitting a Job to run via a Job Button, only the model-level extras.run_job permission is checked (i.e., does the user have permission to run Jobs in general?). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case (/extras/job-button/<uuid>/run/) The effect is that a user with permissions to run even a single Job can actually run all configured JobButton Jobs.

Not all Jobs can be configured as JobButtons; only those implemented as subclasses of JobButtonReceiver can be used in this way, so this vulnerability only applies specifically to JobButtonReceiver subclasses.

Additionally, although the documentation states that both extras.run_job permission and extras.run_jobbutton permission must be granted to a user in order to run Jobs via JobButton, the extras.run_jobbutton permission is not actually enforced by the view code, only by the UI by disabling the button from being clicked normally. Furthermore, the extras.run_jobbutton permission never prevented invoking Jobs (including JobButtonReceiver subclasses) via the normal "Job Run" UI, so after some discussion, we've decided that the extras.run_jobbutton permission is redundant, and as it never achieved its stated/documented purpose, the fixes below will remove the UI check for extras.run_jobbutton and all other references to the extras.run_jobbutton permission, rather than adding enforcement of this previously unenforced permission.

Patches

Has the problem been patched? What versions should users upgrade to?

Fix will be available in Nautobot 1.6.8 (https://github.com/nautobot/nautobot/pull/4995) and 2.1.0 (https://github.com/nautobot/nautobot/pull/4993)

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Partial mitigation can be achieved by auditing JobButtonReceiver subclasses defined in the system and restricting which users are permitted to create or edit JobButton records.

References

https://github.com/nautobot/nautobot/issues/4988
https://github.com/nautobot/nautobot/pull/4993
https://github.com/nautobot/nautobot/pull/4995

Severity ?

3.5 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.14"
            },
            {
              "fixed": "1.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-51649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-22T19:51:53Z",
    "nvd_published_at": "2023-12-22T17:15:10Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nWhen submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general?). Object-level permissions (i.e., does the user have permission to run this *specific* Job?) are not enforced by the URL/view used in this case (`/extras/job-button/\u003cuuid\u003e/run/`) The effect is that a user with permissions to run even a single Job can actually run all configured JobButton Jobs.\n\n\u003e Not all Jobs can be configured as JobButtons; only those implemented as subclasses of `JobButtonReceiver` can be used in this way, so this vulnerability only applies specifically to `JobButtonReceiver` subclasses.\n\nAdditionally, although the documentation states that both `extras.run_job` permission and `extras.run_jobbutton` permission must be granted to a user in order to run Jobs via JobButton, the `extras.run_jobbutton` permission is not actually enforced by the view code, only by the UI by disabling the button from being clicked normally. Furthermore, the `extras.run_jobbutton` permission never prevented invoking Jobs (including `JobButtonReceiver` subclasses) via the normal \"Job Run\" UI, so after some discussion, we\u0027ve decided that the `extras.run_jobbutton` permission is redundant, and as it never achieved its stated/documented purpose, the fixes below will remove the UI check for `extras.run_jobbutton` and all other references to the `extras.run_jobbutton` permission, rather than adding enforcement of this previously unenforced permission.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nFix will be available in Nautobot 1.6.8 (https://github.com/nautobot/nautobot/pull/4995) and 2.1.0 (https://github.com/nautobot/nautobot/pull/4993)\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nPartial mitigation can be achieved by auditing `JobButtonReceiver` subclasses defined in the system and restricting which users are permitted to create or edit JobButton records. \n\n### References\n\n- https://github.com/nautobot/nautobot/issues/4988\n- https://github.com/nautobot/nautobot/pull/4993\n- https://github.com/nautobot/nautobot/pull/4995\n",
  "id": "GHSA-vf5m-xrhm-v999",
  "modified": "2024-11-22T18:15:15Z",
  "published": "2023-12-22T19:51:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51649"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/issues/4988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/pull/4993"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/pull/4995"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/commit/3d964f996f4926126c1d7853ca87b2ff475997a2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/commit/d33d0c15a36948c45244e5b5e10bc79b8e62de7f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nautobot/nautobot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-287.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nautobot missing object-level permissions enforcement when running Job Buttons"
}

GSD-2023-51649

Vulnerability from gsd - Updated: 2023-12-21 06:01

Details

Aliases

CVE-2023-51649

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-51649"
      ],
      "details": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0 ",
      "id": "GSD-2023-51649",
      "modified": "2023-12-21T06:01:31.668501Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-51649",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "nautobot",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.5.14, \u003c 1.6.8"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 2.0.0, \u003c 2.1.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "nautobot"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0 "
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863: Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999"
          },
          {
            "name": "https://github.com/nautobot/nautobot/issues/4988",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/issues/4988"
          },
          {
            "name": "https://github.com/nautobot/nautobot/pull/4993",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/pull/4993"
          },
          {
            "name": "https://github.com/nautobot/nautobot/pull/4995",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/pull/4995"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-vf5m-xrhm-v999",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "882A82E9-9E77-42C7-9BF0-B9043343580F",
                    "versionEndExcluding": "1.6.8",
                    "versionStartIncluding": "1.5.14",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FAFB640A-21BF-41F2-B824-50336FF393B0",
                    "versionEndExcluding": "2.1.0",
                    "versionStartIncluding": "2.0.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0 "
          },
          {
            "lang": "es",
            "value": "Nautobot es una Network Automation Platform y Network Source of Truth creada como una aplicaci\u00f3n web sobre el marco Django Python con una base de datos PostgreSQL o MySQL. Al enviar un job para ejecutar a trav\u00e9s de un bot\u00f3n de job, solo se verifica el permiso `extras.run_job` a nivel de modelo (es decir, si el usuario tiene permiso para ejecutar jobs en general). Los permisos a nivel de objeto (es decir, \u00bftiene el usuario permiso para ejecutar este trabajo espec\u00edfico?) no se aplican mediante la URL/vista utilizada en este caso. Un usuario con permisos para ejecutar incluso un solo job puede ejecutar todos los jobs de JobButton configurados. La soluci\u00f3n estar\u00e1 disponible en Nautobot 1.6.8 y 2.1.0"
          }
        ],
        "id": "CVE-2023-51649",
        "lastModified": "2024-01-03T20:05:01.863",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 1.8,
              "impactScore": 1.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-12-22T17:15:10.197",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Issue Tracking"
            ],
            "url": "https://github.com/nautobot/nautobot/issues/4988"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Issue Tracking",
              "Patch"
            ],
            "url": "https://github.com/nautobot/nautobot/pull/4993"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Issue Tracking",
              "Patch"
            ],
            "url": "https://github.com/nautobot/nautobot/pull/4995"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch",
              "Vendor Advisory"
            ],
            "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-863"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-51649 (GCVE-0-2023-51649)

FKIE_CVE-2023-51649

PYSEC-2023-287

GHSA-VF5M-XRHM-V999

Impact

Patches

Workarounds

References

GSD-2023-51649

Tags

Sightings

Nomenclature