CVE-2023-51649
MEDIUM EPSS 35.8%
Published Dec 22, 20232y ago · Modified Jun 17, 20261w ago
4.3 CVSS 3.1
Published Dec 22, 2023 2y ago
Last Modified Jun 17, 2026 1w ago
Description
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
35.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-863 Incorrect Authorization Authorization
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| networktocode | nautobot | * | ≥1.5.14 – <1.6.8 |
| networktocode | nautobot | * | ≥2.0.0 – <2.1.0 |
References 4
- github.com https://github.com/nautobot/nautobot/issues/4988
- github.com https://github.com/nautobot/nautobot/pull/4993
- github.com https://github.com/nautobot/nautobot/pull/4995
- github.com https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999
Remediation
- github.com https://github.com/nautobot/nautobot/pull/4993
- github.com https://github.com/nautobot/nautobot/pull/4995
- github.com https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999