Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yMmh3LTc0eHYtNGdxcM4AA2oV
Nautobot vulnerable to exposure of hashed user passwords via REST API
Impact
In Nautobot 2.0.x, certain REST API endpoints, in combination with the ?depth=<N>
query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints.
The passwords are not exposed in plaintext.
Nautobot 1.x is not affected by this vulnerability.
Example:
GET /api/users/permissions/?depth=1
HTTP 200 OK
API-Version: 2.0
Allow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 1,
"next": null,
"previous": null,
"results": [
{
"id": "28ea85e4-5039-4389-94f1-9a3e1c787149",
"object_type": "users.objectpermission",
"display": "Run Job",
"url": "http://localhost:8080/api/users/permissions/28ea85e4-5039-4389-94f1-9a3e1c787149/",
"natural_slug": "run-job_28ea",
"object_types": [
"extras.job"
],
"name": "Run Job",
"description": "",
"enabled": true,
"actions": [
"run",
"view"
],
"constraints": null,
"groups": [
{
"id": 1,
"object_type": "auth.group",
"display": "A Group",
"url": "http://localhost:8080/api/users/groups/1/",
"natural_slug": "a-group_1",
"name": "A Group"
}
],
"users": [
{
"id": "e73288e2-1326-4bfb-8fea-041290dd7473",
"object_type": "users.user",
"display": "admin",
"url": "http://localhost:8080/api/users/users/e73288e2-1326-4bfb-8fea-041290dd7473/",
"natural_slug": "admin_e732",
"password": "pbkdf2_sha256$260000$jQb7hA48HYJ0MLWQgOZiBl$b72+gz6SpZiRpxceRQfT5Zv/aUac0eJ4NdBTZ8ECOow=",
"last_login": "2023-10-18T14:19:08.780857Z",
"is_superuser": true,
"username": "admin",
"first_name": "",
"last_name": "",
"email": "",
"is_staff": true,
"is_active": true,
"date_joined": "2023-10-18T14:18:55.854023Z",
"config_data": {}
}
]
}
]
}
Note the "password" field present in the nested
"users"
data.
This information is not exposed during direct access to the /api/users/users/
endpoint, but can be exposed through any endpoint which contains a nested reference to User object(s) when an appropriate ?depth=<N>
query parameter is specified. Known impacted endpoints include:
/api/dcim/rack-reservations/?depth=1
(or any greaterdepth
value)/api/extras/job-results/?depth=1
(or any greaterdepth
value)/api/extras/notes/?depth=1
(or any greaterdepth
value)/api/extras/object-changes/?depth=1
(or any greaterdepth
value)/api/extras/scheduled-jobs/?depth=1
(or any greaterdepth
value)/api/users/permissions/?depth=1
(or any greaterdepth
value)
but this is not necessarily an exhaustive list.
Plugin REST API endpoints for any models with a foreign key to the User model may also be impacted by this issue.
The patch identified below mitigates the issue for both Nautobot core REST APIs and plugin REST APIs; no code change in plugins is required to address this issue.
Patches
Refer to https://github.com/nautobot/nautobot/pull/4692 for the patch that resolved this issue.
Workarounds
Upgrading to v2.0.3 or later, or applying the above patch, is the preferred workaround for this issue; while it could also be partially mitigated by updating permissions to deny user access to the above list of impacted REST API endpoints, that is not recommended as other endpoints may also expose this issue until patched.
References
https://github.com/nautobot/nautobot/pull/4692
Permalink: https://github.com/advisories/GHSA-r2hw-74xv-4gqpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yMmh3LTc0eHYtNGdxcM4AA2oV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 2 months ago
CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Percentage: 0.00094
EPSS Percentile: 0.40834
Identifiers: GHSA-r2hw-74xv-4gqp, CVE-2023-46128
References:
- https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp
- https://github.com/nautobot/nautobot/pull/4692
- https://github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d40d71
- https://nvd.nist.gov/vuln/detail/CVE-2023-46128
- https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-220.yaml
- https://github.com/advisories/GHSA-r2hw-74xv-4gqp
Blast Radius: 12.9
Affected Packages
pypi:nautobot
Dependent packages: 34Dependent repositories: 47
Downloads: 13,664 last month
Affected Version Ranges: >= 2.0.0, < 2.0.3
Fixed in: 2.0.3
All affected versions: 2.0.0, 2.0.1, 2.0.2
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.5.19, 1.5.20, 1.5.21, 1.5.22, 1.5.23, 1.5.24, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16, 1.6.17, 1.6.18, 1.6.19, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12