ghsa-cf9f-wmhp-v4pr
Vulnerability from github
Published
2023-11-22 20:55
Modified
2024-11-22 18:13
Severity ?
Summary
Cross-site Scripting potential in custom links, job buttons, and computed fields
Details
Impact
All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected.
Due to incorrect usage of Django's mark_safe() API when rendering certain types of user-authored content, including:
- custom links
- job buttons
- computed fields
it is possible that users with permission to create or edit these types of content could craft a malicious payload (such as JavaScript code) that would be executed when rendering pages containing this content.
Patches
Has the problem been patched? What versions should users upgrade to?
We have fixed the incorrect uses of mark_safe() (generally by replacing them with appropriate use of format_html() instead) to prevent such malicious data from being executed.
Users on Nautobot 1.6.x LTM should upgrade to v1.6.6 and users on Nautobot 2.0.x should upgrade to v2.0.5.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Appropriate object permissions can and should be applied to restrict which users are permitted to create or edit the aforementioned types of user-authored content. Other than that, there is no direct fix available.
References
Are there any links users can visit to find out more?
- https://github.com/nautobot/nautobot/pull/4832
- https://github.com/nautobot/nautobot/pull/4833
- https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html
- https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.safestring.mark_safe
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48705"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-22T20:55:54Z",
"nvd_published_at": "2023-11-22T16:15:09Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAll users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected.\n\nDue to incorrect usage of Django\u0027s `mark_safe()` API when rendering certain types of user-authored content, including:\n\n- custom links\n- job buttons\n- computed fields\n\nit is possible that users with permission to create or edit these types of content could craft a malicious payload (such as JavaScript code) that would be executed when rendering pages containing this content.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nWe have fixed the incorrect uses of `mark_safe()` (generally by replacing them with appropriate use of `format_html()` instead) to prevent such malicious data from being executed.\n\nUsers on Nautobot 1.6.x LTM should upgrade to v1.6.6 and users on Nautobot 2.0.x should upgrade to v2.0.5.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nAppropriate object permissions can and should be applied to restrict which users are permitted to create or edit the aforementioned types of user-authored content. Other than that, there is no direct fix available.\n\n### References\n_Are there any links users can visit to find out more?_\n\n- https://github.com/nautobot/nautobot/pull/4832\n- https://github.com/nautobot/nautobot/pull/4833\n- https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html\n- https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.safestring.mark_safe",
"id": "GHSA-cf9f-wmhp-v4pr",
"modified": "2024-11-22T18:13:43Z",
"published": "2023-11-22T20:55:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-cf9f-wmhp-v4pr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48705"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/pull/4832"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/pull/4833"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/362850f5a94689a4c75e3188bf6de826c3b012b2"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/54abe23331b6c3d0d82bf1b028c679b1d200920d"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.safestring.mark_safe"
},
{
"type": "PACKAGE",
"url": "https://github.com/nautobot/nautobot"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-285.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Cross-site Scripting potential in custom links, job buttons, and computed fields"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.