ghsa-m732-wvh2-7cq4
Vulnerability from github
Published
2024-03-26 01:50
Modified
2024-03-26 12:52
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Unauthenticated views may expose information to anonymous users
Details

Impact

A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following:

  • /api/graphql/ (1)
  • /api/users/users/session/ (Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes are enabled on this Nautobot instance)
  • /dcim/racks/<uuid:pk>/dynamic-groups/ (1)
  • /dcim/devices/<uuid:pk>/dynamic-groups/ (1)
  • /extras/job-results/<uuid:pk>/log-table/
  • /extras/secrets/provider/<str:provider_slug>/form/ (the only information exposed to an anonymous user is the fact that a secrets provider with the given slug (e.g. environment-variable or text-file) is supported by this Nautobot instance)
  • /ipam/prefixes/<uuid:pk>/dynamic-groups/ (1)
  • /ipam/ip-addresses/<uuid:pk>/dynamic-groups/ (1)
  • /virtualization/clusters/<uuid:pk>/dynamic-groups/ (1)
  • /virtualization/virtual-machines/<uuid:pk>/dynamic-groups/ (1)

(1) These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users.

Of these endpoints, the only one that poses any significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration is /extras/job-results/<uuid:pk>/log-table/. This endpoint returns an HTML table containing all of the logs associated with the specified JobResult; while these logs may contain sensitive information depending on the Jobs executed in Nautobot, this exposure is mitigated somewhat by the fact that any attacker would have to have prior knowledge of the existence of a JobResult with a particular UUID.

In the interest of full disclosure, the following additional endpoints were also accessible to anonymous users, but do not disclose any sensitive data when accessed (only a listing of other API endpoints).

  • /api/
  • /api/circuits/
  • /api/dcim/
  • /api/extras/
  • /api/ipam/
  • /api/plugins/
  • /api/tenancy/
  • /api/users/
  • /api/virtualization/

All of the above endpoints have been corrected to require user authentication, with the exception of /api/users/users/session/ which is unused at this time and therefore has been simply removed from Nautobot 2.1.9. Additionally, we have added test automation which enumerates available Nautobot URL endpoints and verifies that appropriate authentication requirements are in place; this test was instrumental in identifying the above comprehensive list.

Patches

Fixes will be included in Nautobot 1.6.16 and 2.1.9.

Workarounds

Partial workaround: If your configuration includes a non-default value for EXEMPT_VIEW_PERMISSIONS (the Nautobot default is an empty list), reverting it to default will prevent exposure of Nautobot information to unauthenticated users via the endpoints marked with (1) above.

References

Are there any links users can visit to find out more?

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-26T01:50:31Z",
    "nvd_published_at": "2024-03-26T03:15:13Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nA number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following:\n\n- `/api/graphql/` (1)\n- `/api/users/users/session/` (Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes are enabled on this Nautobot instance)\n- `/dcim/racks/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/dcim/devices/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/extras/job-results/\u003cuuid:pk\u003e/log-table/`\n- `/extras/secrets/provider/\u003cstr:provider_slug\u003e/form/` (the only information exposed to an anonymous user is the fact that a secrets provider with the given slug (e.g. `environment-variable` or `text-file`) is supported by this Nautobot instance)\n- `/ipam/prefixes/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/ipam/ip-addresses/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/virtualization/clusters/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n- `/virtualization/virtual-machines/\u003cuuid:pk\u003e/dynamic-groups/` (1)\n\n(1) These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable `EXEMPT_VIEW_PERMISSIONS` is changed from its default value (an empty list) to permit access to specific data by unauthenticated users.\n\nOf these endpoints, the only one that poses any significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration is `/extras/job-results/\u003cuuid:pk\u003e/log-table/`. This endpoint returns an HTML table containing all of the logs associated with the specified JobResult; while these logs may contain sensitive information depending on the Jobs executed in Nautobot, this exposure is mitigated somewhat by the fact that any attacker would have to have prior knowledge of the existence of a JobResult with a particular UUID.\n\nIn the interest of full disclosure, the following additional endpoints were also accessible to anonymous users, but do not disclose any sensitive data when accessed (only a listing of other API endpoints). \n\n- `/api/`\n- `/api/circuits/`\n- `/api/dcim/`\n- `/api/extras/`\n- `/api/ipam/`\n- `/api/plugins/`\n- `/api/tenancy/`\n- `/api/users/`\n- `/api/virtualization/`\n\nAll of the above endpoints have been corrected to require user authentication, with the exception of `/api/users/users/session/` which is unused at this time and therefore has been simply removed from Nautobot 2.1.9. Additionally, we have added test automation which enumerates available Nautobot URL endpoints and verifies that appropriate authentication requirements are in place; this test was instrumental in identifying the above comprehensive list.\n\n### Patches\n\nFixes will be included in Nautobot 1.6.16 and 2.1.9.\n\n### Workarounds\n\nPartial workaround: If your configuration includes a non-default value for `EXEMPT_VIEW_PERMISSIONS` (the Nautobot default is an empty list), reverting it to default will prevent exposure of Nautobot information to unauthenticated users via the endpoints marked with (1) above.\n\n### References\n_Are there any links users can visit to find out more?_\n",
  "id": "GHSA-m732-wvh2-7cq4",
  "modified": "2024-03-26T12:52:19Z",
  "published": "2024-03-26T01:50:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29199"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/pull/5464"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/pull/5465"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nautobot/nautobot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthenticated views may expose information to anonymous users"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.