Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12NHh2LTc5NWgtcnY0aM4AA4oT
XSS potential in rendered Markdown fields (comments, description, notes, etc.)
Impact
All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted.
Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including:
Circuit.commentsCluster.commentsCustomField.descriptionDevice.commentsDeviceRedundancyGroup.commentsDeviceType.commentsJob.descriptionJobLogEntry.messageLocation.commentsNote.notePowerFeed.commentsProvider.noc_contactProvider.admin_contactProvider.commentsProviderNetwork.commentsRack.commentsTenant.commentsVirtualMachine.comments- Contents of any custom fields of type
markdown - Job class
descriptionattributes - The
SUPPORT_MESSAGEsystem configuration setting
are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data.
Patches
Fixed in Nautobot versions 1.6.10 and 2.1.2.
References
https://github.com/nautobot/nautobot/pull/5133
https://github.com/nautobot/nautobot/pull/5134
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NHh2LTc5NWgtcnY0aM4AA4oT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 10 months ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
Identifiers: GHSA-v4xv-795h-rv4h, CVE-2024-23345
References:
- https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h
- https://nvd.nist.gov/vuln/detail/CVE-2024-23345
- https://github.com/nautobot/nautobot/pull/5133
- https://github.com/nautobot/nautobot/pull/5134
- https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80
- https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce
- https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2024-16.yaml
- https://github.com/advisories/GHSA-v4xv-795h-rv4h
Blast Radius: 11.9
Affected Packages
pypi:nautobot
Dependent packages: 34Dependent repositories: 47
Downloads: 13,664 last month
Affected Version Ranges: < 1.6.10, >= 2.0.0, < 2.1.2
Fixed in: 1.6.10, 2.1.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.5.19, 1.5.20, 1.5.21, 1.5.22, 1.5.23, 1.5.24, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1
All unaffected versions: 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16, 1.6.17, 1.6.18, 1.6.19, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12