CVE-2023-50263 – nautobot

Package

Manager: pip
Name: nautobot
Vulnerable Version: >=1.1.0 <1.6.7 || >=2.0.0 <2.0.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00449 pctl0.62695

Details

Unauthenticated db-file-storage views ### Impact In Nautobot 1.x and 2.0.x, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job in question runs. It was reported by @kircheneer that in the default implementation used in Nautobot, as provided by `django-db-file-storage`, these URLs do not by default require any user authentication to access; they should instead be restricted to only users who have permissions to view Nautobot's `FileProxy` model instances. Note that no URL mechanism is provided for listing or traversal of the available file `name` values, so in practice an unauthenticated user would have to guess names to discover arbitrary files for download, but if a user knows the file name/path value, they can access it without authenticating, so we are considering this a vulnerability. ### Patches Fixes will be included in Nautobot 1.6.7 and Nautobot 2.0.6. ### Workarounds No workaround other than applying the patches included in https://github.com/nautobot/nautobot/pull/4959/files (2.0.x) or https://github.com/nautobot/nautobot/pull/4964/files (1.6.x) ### References - https://github.com/victor-o-silva/db_file_storage/blob/master/db_file_storage/views.py

Metadata

Created: 2023-12-13T13:35:48Z
Modified: 2024-11-22T18:14:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-75mc-3pjc-727q/GHSA-75mc-3pjc-727q.json
CWE IDs: ["CWE-200", "CWE-306"]
Alternative ID: GHSA-75mc-3pjc-727q
Finding: F006
Auto approve: 1