Skip to content

Unauthenticated views may expose information to anonymous users

Low severity GitHub Reviewed Published Mar 25, 2024 in nautobot/nautobot • Updated Mar 26, 2024

Package

pip nautobot (pip)

Affected versions

< 1.6.16
>= 2.0.0, < 2.1.9

Patched versions

1.6.16
2.1.9

Description

Impact

A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following:

  • /api/graphql/ (1)
  • /api/users/users/session/ (Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes are enabled on this Nautobot instance)
  • /dcim/racks/<uuid:pk>/dynamic-groups/ (1)
  • /dcim/devices/<uuid:pk>/dynamic-groups/ (1)
  • /extras/job-results/<uuid:pk>/log-table/
  • /extras/secrets/provider/<str:provider_slug>/form/ (the only information exposed to an anonymous user is the fact that a secrets provider with the given slug (e.g. environment-variable or text-file) is supported by this Nautobot instance)
  • /ipam/prefixes/<uuid:pk>/dynamic-groups/ (1)
  • /ipam/ip-addresses/<uuid:pk>/dynamic-groups/ (1)
  • /virtualization/clusters/<uuid:pk>/dynamic-groups/ (1)
  • /virtualization/virtual-machines/<uuid:pk>/dynamic-groups/ (1)

(1) These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users.

Of these endpoints, the only one that poses any significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration is /extras/job-results/<uuid:pk>/log-table/. This endpoint returns an HTML table containing all of the logs associated with the specified JobResult; while these logs may contain sensitive information depending on the Jobs executed in Nautobot, this exposure is mitigated somewhat by the fact that any attacker would have to have prior knowledge of the existence of a JobResult with a particular UUID.

In the interest of full disclosure, the following additional endpoints were also accessible to anonymous users, but do not disclose any sensitive data when accessed (only a listing of other API endpoints).

  • /api/
  • /api/circuits/
  • /api/dcim/
  • /api/extras/
  • /api/ipam/
  • /api/plugins/
  • /api/tenancy/
  • /api/users/
  • /api/virtualization/

All of the above endpoints have been corrected to require user authentication, with the exception of /api/users/users/session/ which is unused at this time and therefore has been simply removed from Nautobot 2.1.9. Additionally, we have added test automation which enumerates available Nautobot URL endpoints and verifies that appropriate authentication requirements are in place; this test was instrumental in identifying the above comprehensive list.

Patches

Fixes will be included in Nautobot 1.6.16 and 2.1.9.

Workarounds

Partial workaround: If your configuration includes a non-default value for EXEMPT_VIEW_PERMISSIONS (the Nautobot default is an empty list), reverting it to default will prevent exposure of Nautobot information to unauthenticated users via the endpoints marked with (1) above.

References

Are there any links users can visit to find out more?

References

@gsnider2195 gsnider2195 published to nautobot/nautobot Mar 25, 2024
Published to the GitHub Advisory Database Mar 26, 2024
Reviewed Mar 26, 2024
Published by the National Vulnerability Database Mar 26, 2024
Last updated Mar 26, 2024

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS score

0.044%
(12th percentile)

Weaknesses

CVE ID

CVE-2024-29199

GHSA ID

GHSA-m732-wvh2-7cq4

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.