logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-34707 nautobot

Package

Manager: pip
Name: nautobot
Vulnerable Version: >=0 <1.6.22 || >=2.0.0 <2.2.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

EPSS: 0.00221 pctl0.44636

Details

Nautobot's BANNER_* configuration can be used to inject arbitrary HTML content into Nautobot pages ### Impact A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). ### Patches _Has the problem been patched? What versions should users upgrade to?_ Patches will be released as part of Nautobot 1.6.22 and 2.2.4. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ As [described in the Nautobot documentation](https://docs.nautobot.com/projects/core/en/stable/user-guide/administration/configuration/optional-settings/#administratively-configurable-settings), these settings are only configurable through the admin UI of Nautobot if they are *not* explicitly set to some non-empty value in the `nautobot_config.py` or equivalent Nautobot configuration file. Therefore, adding the following configuration to said file completely mitigates this vulnerability in both Nautobot 1.x and 2.x: ```python BANNER_LOGIN = " " BANNER_TOP = " " BANNER_BOTTOM = " " ``` or alternately (Nautobot 2.x only), if those variables are not defined explicitly in your configuration file, setting the following environment variables for the Nautobot user account serves the same purpose: ```shell NAUTOBOT_BANNER_LOGIN=" " NAUTOBOT_BANNER_TOP=" " NAUTOBOT_BANNER_BOTTOM=" " ``` Limiting all users who do not need elevated privileges to non-admin access (`is_superuser: False` and `is_staff: False`) is a partial mitigation as well. ### References - https://github.com/nautobot/nautobot/pull/5697 - https://github.com/nautobot/nautobot/pull/5698

Metadata

Created: 2024-05-13T19:59:26Z
Modified: 2024-05-14T20:04:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-r2hr-4v48-fjv3/GHSA-r2hr-4v48-fjv3.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-r2hr-4v48-fjv3
Finding: F425
Auto approve: 1