nautobot@1.6.3 vulnerabilities

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper handling and escaping of user-provided query parameters. All filterable object-list views are vulnerable.

Upgrade nautobot to version 1.6.20, 2.2.3 or higher.

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Information Exposure due to improper access control on several URL endpoints. An attacker can access sensitive information without authentication by exploiting endpoints that are improperly accessible to unauthenticated users. This includes endpoints that may disclose information about the system's authentication backend classes, supported secrets providers, and potentially sensitive logs associated with specific JobResults.

Note:

This is only exploitable if the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is altered from its default value to permit access to specific data by unauthenticated users.

Upgrade nautobot to version 1.6.16, 2.1.9 or higher.

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the files/get endpoint due to being configured without "add_attachment_headers": True and due to missing the Content-Disposition: attachment HTTP header. Without this header, users might not be prompted to download a file; instead, the file could potentially be executed or displayed directly in the browser.

Upgrade nautobot to version 1.6.10, 2.1.2 or higher.

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to inadequate input sanitization in user-editable fields that support Markdown rendering. An attacker can inject malicious scripts that may be executed in the context of the user's browser session by submitting specially crafted data.

Upgrade nautobot to version 1.6.10, 2.1.2 or higher.

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Insufficient Granularity of Access Control due to improper enforcement of object-level permissions in the JobButtonReceiver subclass. An attacker can execute any configured JobButton Jobs by submitting a request to the vulnerable endpoint without the required specific job permissions. This is only exploitable if the attacker has permissions to run at least one Job in the system.

Upgrade nautobot to version 1.6.8, 2.1.0 or higher.

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor via the URLs /files/get/?name=... and /files/download/?name=..., which are intended to provide admin access to uploaded files associated with Job run requests. An attacker can access sensitive files without authentication by knowing the file name/path value.

Upgrade nautobot to version 1.6.7, 2.0.6 or higher.

nautobot is a Source of truth and network automation platform.

Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') due to incorrect usage of Django's mark_safe() API when rendering certain types of user-authored content. An attacker with permission to create or edit these types of content can craft a malicious payload (such as JavaScript code) that would be executed when rendering pages containing this content.

Upgrade nautobot to version 1.6.6, 2.0.5 or higher.