Nautobot Security Notices¶

As a part of the Nautobot development team's commitment to security, we maintain the below historical list of security issues which have been fixed and disclosed. Note that this list only includes issues in Nautobot itself; while we frequently update our library dependencies to keep them up-to-date and free of known security issues therein, any reported issues in such libraries, and the corresponding updates to Nautobot's specified dependencies, are out of scope for this document.

CVE-2024-36112¶

Disclosure Date	May 28, 2024
Summary	A user with permissions to view Dynamic Group records can use the Dynamic Group detail UI view and/or the Dynamic Group Members REST API view to list the objects that are members of a given Dynamic Group. Nautobot failed to restrict these listings based on the member object permissions - for example a Dynamic Group of Device objects would list all Devices that it contains, regardless of the user's `dcim.view_device` permissions or lack thereof.
Full Description	GHSA-qmjf-wc2h-6x3q
Affected Versions	≥1.3.0, <1.6.23 ≥2.0.0, <2.2.5
Patched Versions	1.6.23 (patch) 2.2.5 (patch)

CVE-2024-34707¶

Disclosure Date	May 13, 2024
Summary	A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and/or `BANNER_LOGIN` configuration settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS).
Full Description	GHSA-r2hr-4v48-fjv3
Affected Versions	<1.6.22 ≥2.0.0, <2.2.4
Patched Versions	1.6.22 (patch) 2.2.4 (patch)

CVE-2024-32979¶

Disclosure Date	April 30, 2024
Summary	Due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users.
Full Description	GHSA-jxgr-gcj5-cqqg
Affected Versions	≥1.5.0, <1.6.20 ≥2.0.0, <2.2.3
Patched Versions	1.6.20 (patch) 2.2.3 (patch)

CVE-2024-29199¶

Disclosure Date	March 25, 2024
Summary	A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users and therefore could potentially disclose sensitive information.
Full Description	GHSA-m732-wvh2-7cq4
Affected Versions	<1.6.16 ≥2.0.0, <2.1.9
Patched Versions	1.6.16 (patch) 2.1.9 (patch)

CVE-2024-23345¶

Disclosure Date	January 22, 2024
Summary	Due to inadequate input sanitization, user-editable fields that support Markdown rendering of their contents could potentially be susceptible to cross-site scripting (XSS) attacks via maliciously crafted data.
Full Description	GHSA-v4xv-795h-rv4h
Affected Versions	<1.6.10 ≥2.0.0, <2.1.2
Patched Versions	1.6.10 (patch) 2.1.2 (patch)

CVE-2023-51649¶

Disclosure Date	December 22, 2023
Summary	When submitting a Job to run via a Job Button, only the model-level permission was checked (i.e., does the user have permission to run Jobs in general?). Object-level permissions (i.e., does the user have permission to run this specific Job?) were not enforced, possibly allowing a user to run JobButton Jobs that they should not be permitted to run.
Full Description	GHSA-vf5m-xrhm-v999
Affected Versions	≥1.5.14, <1.6.8 ≥2.0.0, <2.1.0
Patched Versions	1.6.8 (patch) 2.1.0 (patch)

CVE-2023-50263¶

Disclosure Date	December 12, 2023
Summary	Unauthenticated (anonymous) users who know the name of a specific file uploaded as a Job input can potentially download the contents of that file from Nautobot.
Full Description	GHSA-75mc-3pjc-727q
Affected Versions	≥1.1.0, <1.6.7 ≥2.0.0, <2.0.6
Patched Versions	1.6.7 (patch) 2.0.6 (patch)

CVE-2023-48705¶

Disclosure Date	November 21, 2023
Summary	A user with permission to create or edit custom links, job buttons, and/or computed fields could potentially inject a malicious payload, such as JavaScript code or cross-site scripting (XSS).
Full Description	GHSA-cf9f-wmhp-v4pr
Affected Versions	<1.6.6 ≥2.0.0, <2.0.5
Patched Versions	1.6.6 (patch) 2.0.5 (patch)

CVE-2023-46128¶

Disclosure Date	October 24, 2023
Summary	Certain REST API endpoints, in combination with the ?depth= query parameter, could expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints.
Full Description	GHSA-r2hw-74xv-4gqp
Affected Versions	≥2.0.0, <2.0.3
Patched Versions	2.0.3 (patch)

CVE-2023-25657¶

Disclosure Date	February 21, 2023
Summary	Lack of environment sandboxing in Jinja2 template rendering of user-authored data (computed fields, custom links, export templates, etc.) could potentially result in remote code execution.
Full Description	GHSA-8mfq-f5wj-vw5m
Affected Versions	<1.5.7
Patched Versions	1.5.7 (patch)