Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qeGdyLWdjajUtY3FxZ84AA7cp
nautobot has reflected Cross-site Scripting potential in all object list views
Impact
It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable, including:
- /dcim/location-types/
- /dcim/locations/
- /dcim/racks/
- /dcim/rack-groups/
- /dcim/rack-reservations/
- /dcim/rack-elevations/
- /tenancy/tenants/
- /tenancy/tenant-groups/
- /extras/tags/
- /extras/statuses/
- /extras/roles/
- /extras/dynamic-groups/
- /dcim/devices/
- /dcim/platforms/
- /dcim/virtual-chassis/
- /dcim/device-redundancy-groups/
- /dcim/interface-redundancy-groups/
- /dcim/device-types/
- /dcim/manufacturers/
- /dcim/cables/
- /dcim/console-connections/
- /dcim/power-connections/
- /dcim/interface-connections/
- /dcim/interfaces/
- /dcim/front-ports/
- /dcim/rear-ports/
- /dcim/console-ports/
- /dcim/console-server-ports/
- /dcim/power-ports/
- /dcim/power-outlets/
- /dcim/device-bays/
- /dcim/inventory-items/
- /ipam/ip-addresses/
- /ipam/prefixes
- /ipam/rirs/
- /ipam/namespaces/
- /ipam/vrfs/
- /ipam/route-targets/
- /ipam/vlans/
- /ipam/vlan-groups/
- /ipam/services/
- /virtualization/virtual-machines/
- /virtualization/interfaces/
- /virtualization/clusters/
- /virtualization/cluster-types/
- /virtualization/cluster-groups/
- /circuits/circuits/
- /circuits/circuit-types/
- /circuits/providers/
- /circuits/provider-networks/
- /dcim/power-feeds/
- /dcim/power-panels/
- /extras/secrets/
- /extras/secrets-groups/
- /extras/jobs/
- /extras/jobs/scheduled-jobs/approval-queue/
- /extras/jobs/scheduled-jobs/
- /extras/job-results/
- /extras/job-hooks/
- /extras/job-buttons/
- /extras/object-changes/
- /extras/git-repositories/
- /extras/graphql-queries/
- /extras/relationships/
- /extras/notes/
- /extras/config-contexts/
- /extras/config-context-schemas/
- /extras/export-templates/
- /extras/external-integrations/
- /extras/webhooks/
- /extras/computed-fields/
- /extras/custom-fields/
- /extras/custom-links/
as well as any similar object-list views provided by any Nautobot App.
Patches
Fixed in Nautobot 1.6.20 and 2.2.3.
Workarounds
No workaround has been identified
References
- #5646
- #5647
Credit to Michael Panorios for reporting this issue.
Permalink: https://github.com/advisories/GHSA-jxgr-gcj5-cqqgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qeGdyLWdjajUtY3FxZ84AA7cp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
Identifiers: GHSA-jxgr-gcj5-cqqg, CVE-2024-32979
References:
- https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg
- https://github.com/nautobot/nautobot/pull/5646
- https://github.com/nautobot/nautobot/pull/5647
- https://github.com/nautobot/nautobot/commit/2ea5797ea43646d5d8b29433e4c707b5a9758146
- https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e
- https://github.com/nautobot/nautobot/releases/tag/v1.6.20
- https://github.com/nautobot/nautobot/releases/tag/v2.2.3
- https://nvd.nist.gov/vuln/detail/CVE-2024-32979
- https://github.com/advisories/GHSA-jxgr-gcj5-cqqg
Blast Radius: 12.5
Affected Packages
pypi:nautobot
Dependent packages: 34Dependent repositories: 47
Downloads: 13,664 last month
Affected Version Ranges: >= 2.0.0, < 2.2.3, >= 1.5.0, < 1.6.20
Fixed in: 2.2.3, 1.6.20
All affected versions: 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.5.19, 1.5.20, 1.5.21, 1.5.22, 1.5.23, 1.5.24, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16, 1.6.17, 1.6.18, 1.6.19, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12