cvelistv5 - CVE-2024-29199

CVE-2024-29199

Vulnerability from cvelistv5

Published

2024-03-26 03:08

Modified

2024-08-02 16:13

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750
	security-advisories@github.com	https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb
	security-advisories@github.com	https://github.com/nautobot/nautobot/pull/5464
	security-advisories@github.com	https://github.com/nautobot/nautobot/pull/5465
	security-advisories@github.com	https://github.com/nautobot/nautobot/releases/tag/v1.6.16
	security-advisories@github.com	https://github.com/nautobot/nautobot/releases/tag/v2.1.9
	security-advisories@github.com	https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/pull/5464
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/pull/5465
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/releases/tag/v1.6.16
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/releases/tag/v2.1.9
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4

Impacted products

	Vendor	Product	Version
	nautobot	nautobot	Version: < 1.6.16 Version: >= 2.0.0, < 2.1.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:10:54.048Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
          },
          {
            "name": "https://github.com/nautobot/nautobot/pull/5464",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nautobot/nautobot/pull/5464"
          },
          {
            "name": "https://github.com/nautobot/nautobot/pull/5465",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nautobot/nautobot/pull/5465"
          },
          {
            "name": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
          },
          {
            "name": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
          },
          {
            "name": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
          },
          {
            "name": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-29199",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-02T16:13:02.596894Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:13:27.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nautobot",
          "vendor": "nautobot",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.1.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-26T03:08:21.873Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
        },
        {
          "name": "https://github.com/nautobot/nautobot/pull/5464",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nautobot/nautobot/pull/5464"
        },
        {
          "name": "https://github.com/nautobot/nautobot/pull/5465",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nautobot/nautobot/pull/5465"
        },
        {
          "name": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
        },
        {
          "name": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
        },
        {
          "name": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
        },
        {
          "name": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
        }
      ],
      "source": {
        "advisory": "GHSA-m732-wvh2-7cq4",
        "discovery": "UNKNOWN"
      },
      "title": "Unauthenticated views may expose information to anonymous users"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-29199",
    "datePublished": "2024-03-26T03:08:21.873Z",
    "dateReserved": "2024-03-18T17:07:00.095Z",
    "dateUpdated": "2024-08-02T16:13:27.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-29199\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-26T03:15:13.707\",\"lastModified\":\"2024-11-21T09:07:47.030\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.\"},{\"lang\":\"es\",\"value\":\"Nautobot es una plataforma de automatizaci\u00f3n de redes y fuente de verdad de red. Se descubri\u00f3 que varios endpoints de URL de Nautobot no eran accesibles correctamente para usuarios no autenticados (an\u00f3nimos). Estos endpoints no revelar\u00e1n ning\u00fan dato de Nautobot a un usuario no autenticado a menos que la variable de configuraci\u00f3n de Nautobot EXEMPT_VIEW_PERMISSIONS se cambie de su valor predeterminado (una lista vac\u00eda) para permitir el acceso a datos espec\u00edficos por parte de usuarios no autenticados. Esta vulnerabilidad se solucion\u00f3 en 1.6.16 y 2.1.9.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/nautobot/nautobot/pull/5464\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/nautobot/nautobot/pull/5465\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/nautobot/nautobot/releases/tag/v1.6.16\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/nautobot/nautobot/releases/tag/v2.1.9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/nautobot/nautobot/pull/5464\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/nautobot/nautobot/pull/5465\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/nautobot/nautobot/releases/tag/v1.6.16\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/nautobot/nautobot/releases/tag/v2.1.9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4\", \"name\": \"https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/nautobot/nautobot/pull/5464\", \"name\": \"https://github.com/nautobot/nautobot/pull/5464\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/nautobot/nautobot/pull/5465\", \"name\": \"https://github.com/nautobot/nautobot/pull/5465\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750\", \"name\": \"https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb\", \"name\": \"https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/nautobot/nautobot/releases/tag/v1.6.16\", \"name\": \"https://github.com/nautobot/nautobot/releases/tag/v1.6.16\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/nautobot/nautobot/releases/tag/v2.1.9\", \"name\": \"https://github.com/nautobot/nautobot/releases/tag/v2.1.9\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T01:10:54.048Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-29199\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-02T16:13:02.596894Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-02T16:13:09.186Z\"}}], \"cna\": {\"title\": \"Unauthenticated views may expose information to anonymous users\", \"source\": {\"advisory\": \"GHSA-m732-wvh2-7cq4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"nautobot\", \"product\": \"nautobot\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.6.16\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.1.9\"}]}], \"references\": [{\"url\": \"https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4\", \"name\": \"https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nautobot/nautobot/pull/5464\", \"name\": \"https://github.com/nautobot/nautobot/pull/5464\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nautobot/nautobot/pull/5465\", \"name\": \"https://github.com/nautobot/nautobot/pull/5465\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750\", \"name\": \"https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb\", \"name\": \"https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nautobot/nautobot/releases/tag/v1.6.16\", \"name\": \"https://github.com/nautobot/nautobot/releases/tag/v1.6.16\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nautobot/nautobot/releases/tag/v2.1.9\", \"name\": \"https://github.com/nautobot/nautobot/releases/tag/v2.1.9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-26T03:08:21.873Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-29199\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T16:13:27.128Z\", \"dateReserved\": \"2024-03-18T17:07:00.095Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-26T03:08:21.873Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-m732-wvh2-7cq4

Vulnerability from github

Published

2024-03-26 01:50

Modified

2024-03-26 12:52

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Unauthenticated views may expose information to anonymous users

Details

Impact

A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following:

/api/graphql/ (1)
/api/users/users/session/ (Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes are enabled on this Nautobot instance)
/dcim/racks/<uuid:pk>/dynamic-groups/ (1)
/dcim/devices/<uuid:pk>/dynamic-groups/ (1)
/extras/job-results/<uuid:pk>/log-table/
/extras/secrets/provider/<str:provider_slug>/form/ (the only information exposed to an anonymous user is the fact that a secrets provider with the given slug (e.g. environment-variable or text-file) is supported by this Nautobot instance)
/ipam/prefixes/<uuid:pk>/dynamic-groups/ (1)
/ipam/ip-addresses/<uuid:pk>/dynamic-groups/ (1)
/virtualization/clusters/<uuid:pk>/dynamic-groups/ (1)
/virtualization/virtual-machines/<uuid:pk>/dynamic-groups/ (1)

(1) These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users.

Of these endpoints, the only one that poses any significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration is /extras/job-results/<uuid:pk>/log-table/. This endpoint returns an HTML table containing all of the logs associated with the specified JobResult; while these logs may contain sensitive information depending on the Jobs executed in Nautobot, this exposure is mitigated somewhat by the fact that any attacker would have to have prior knowledge of the existence of a JobResult with a particular UUID.

In the interest of full disclosure, the following additional endpoints were also accessible to anonymous users, but do not disclose any sensitive data when accessed (only a listing of other API endpoints).

/api/
/api/circuits/
/api/dcim/
/api/extras/
/api/ipam/
/api/plugins/
/api/tenancy/
/api/users/
/api/virtualization/

All of the above endpoints have been corrected to require user authentication, with the exception of /api/users/users/session/ which is unused at this time and therefore has been simply removed from Nautobot 2.1.9. Additionally, we have added test automation which enumerates available Nautobot URL endpoints and verifies that appropriate authentication requirements are in place; this test was instrumental in identifying the above comprehensive list.

Patches

Fixes will be included in Nautobot 1.6.16 and 2.1.9.

Workarounds

Partial workaround: If your configuration includes a non-default value for EXEMPT_VIEW_PERMISSIONS (the Nautobot default is an empty list), reverting it to default will prevent exposure of Nautobot information to unauthenticated users via the endpoints marked with (1) above.

References

Are there any links users can visit to find out more?

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-26T01:50:31Z",
    "nvd_published_at": "2024-03-26T03:15:13Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nA number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following:\n\n- `/api/graphql/` (1)\n- `/api/users/users/session/` (Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes are enabled on this Nautobot instance)\n- `/dcim/racks/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/dcim/devices/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/extras/job-results/\u003cuuid:pk\u003e/log-table/`\n- `/extras/secrets/provider/\u003cstr:provider_slug\u003e/form/` (the only information exposed to an anonymous user is the fact that a secrets provider with the given slug (e.g. `environment-variable` or `text-file`) is supported by this Nautobot instance)\n- `/ipam/prefixes/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/ipam/ip-addresses/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/virtualization/clusters/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/virtualization/virtual-machines/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n\n(1) These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable `EXEMPT_VIEW_PERMISSIONS` is changed from its default value (an empty list) to permit access to specific data by unauthenticated users.\n\nOf these endpoints, the only one that poses any significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration is `/extras/job-results/\u003cuuid:pk\u003e/log-table/`. This endpoint returns an HTML table containing all of the logs associated with the specified JobResult; while these logs may contain sensitive information depending on the Jobs executed in Nautobot, this exposure is mitigated somewhat by the fact that any attacker would have to have prior knowledge of the existence of a JobResult with a particular UUID.\n\nIn the interest of full disclosure, the following additional endpoints were also accessible to anonymous users, but do not disclose any sensitive data when accessed (only a listing of other API endpoints). \n\n- `/api/`\n- `/api/circuits/`\n- `/api/dcim/`\n- `/api/extras/`\n- `/api/ipam/`\n- `/api/plugins/`\n- `/api/tenancy/`\n- `/api/users/`\n- `/api/virtualization/`\n\nAll of the above endpoints have been corrected to require user authentication, with the exception of `/api/users/users/session/` which is unused at this time and therefore has been simply removed from Nautobot 2.1.9. Additionally, we have added test automation which enumerates available Nautobot URL endpoints and verifies that appropriate authentication requirements are in place; this test was instrumental in identifying the above comprehensive list.\n\n### Patches\n\nFixes will be included in Nautobot 1.6.16 and 2.1.9.\n\n### Workarounds\n\nPartial workaround: If your configuration includes a non-default value for `EXEMPT_VIEW_PERMISSIONS` (the Nautobot default is an empty list), reverting it to default will prevent exposure of Nautobot information to unauthenticated users via the endpoints marked with (1) above.\n\n### References\n_Are there any links users can visit to find out more?_\n",
  "id": "GHSA-m732-wvh2-7cq4",
  "modified": "2024-03-26T12:52:19Z",
  "published": "2024-03-26T01:50:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29199"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/pull/5464"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/pull/5465"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nautobot/nautobot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthenticated views may expose information to anonymous users"
}

fkie_cve-2024-29199

Vulnerability from fkie_nvd

Published

2024-03-26 03:15

Modified

2024-11-21 09:07

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750
	security-advisories@github.com	https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb
	security-advisories@github.com	https://github.com/nautobot/nautobot/pull/5464
	security-advisories@github.com	https://github.com/nautobot/nautobot/pull/5465
	security-advisories@github.com	https://github.com/nautobot/nautobot/releases/tag/v1.6.16
	security-advisories@github.com	https://github.com/nautobot/nautobot/releases/tag/v2.1.9
	security-advisories@github.com	https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/pull/5464
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/pull/5465
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/releases/tag/v1.6.16
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/releases/tag/v2.1.9
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9."
    },
    {
      "lang": "es",
      "value": "Nautobot es una plataforma de automatizaci\u00f3n de redes y fuente de verdad de red. Se descubri\u00f3 que varios endpoints de URL de Nautobot no eran accesibles correctamente para usuarios no autenticados (an\u00f3nimos). Estos endpoints no revelar\u00e1n ning\u00fan dato de Nautobot a un usuario no autenticado a menos que la variable de configuraci\u00f3n de Nautobot EXEMPT_VIEW_PERMISSIONS se cambie de su valor predeterminado (una lista vac\u00eda) para permitir el acceso a datos espec\u00edficos por parte de usuarios no autenticados. Esta vulnerabilidad se solucion\u00f3 en 1.6.16 y 2.1.9."
    }
  ],
  "id": "CVE-2024-29199",
  "lastModified": "2024-11-21T09:07:47.030",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-26T03:15:13.707",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nautobot/nautobot/pull/5464"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nautobot/nautobot/pull/5465"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/nautobot/nautobot/pull/5464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/nautobot/nautobot/pull/5465"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

gsd-2024-29199

Vulnerability from gsd

Modified

2024-04-02 05:02

Details

Aliases

CVE-2024-29199

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-29199"
      ],
      "details": "Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.",
      "id": "GSD-2024-29199",
      "modified": "2024-04-02T05:02:57.453566Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-29199",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "nautobot",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.6.16"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 2.0.0, \u003c 2.1.9"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "nautobot"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-200",
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
          },
          {
            "name": "https://github.com/nautobot/nautobot/pull/5464",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/pull/5464"
          },
          {
            "name": "https://github.com/nautobot/nautobot/pull/5465",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/pull/5465"
          },
          {
            "name": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
          },
          {
            "name": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
          },
          {
            "name": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
          },
          {
            "name": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9",
            "refsource": "MISC",
            "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-m732-wvh2-7cq4",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9."
          },
          {
            "lang": "es",
            "value": "Nautobot es una plataforma de automatizaci\u00f3n de redes y fuente de verdad de red. Se descubri\u00f3 que varios endpoints de URL de Nautobot no eran accesibles correctamente para usuarios no autenticados (an\u00f3nimos). Estos endpoints no revelar\u00e1n ning\u00fan dato de Nautobot a un usuario no autenticado a menos que la variable de configuraci\u00f3n de Nautobot EXEMPT_VIEW_PERMISSIONS se cambie de su valor predeterminado (una lista vac\u00eda) para permitir el acceso a datos espec\u00edficos por parte de usuarios no autenticados. Esta vulnerabilidad se solucion\u00f3 en 1.6.16 y 2.1.9."
          }
        ],
        "id": "CVE-2024-29199",
        "lastModified": "2024-03-26T12:55:05.010",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 1.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-26T03:15:13.707",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/nautobot/nautobot/pull/5464"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/nautobot/nautobot/pull/5465"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-200"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-29199

Vulnerability from cvelistv5

ghsa-m732-wvh2-7cq4

Vulnerability from github

Impact

Patches

Workarounds

References

fkie_cve-2024-29199

Vulnerability from fkie_nvd

gsd-2024-29199

Vulnerability from gsd

Tags

Sightings

Nomenclature