Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards.
This issue has been patched in versions 2.4.30 and 3.0.10.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 2
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Networktocode Nautobot
cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*
|
— |
2.4.30
|
|
Networktocode Nautobot
cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*
|
3.0.0
|
3.0.10
|
References 5
https://github.com/nautobot/nautobot/commit/589f7caf54124ad76bc9fcbb7bdcaa25627…
security-advisories@github.com
https://github.com/nautobot/nautobot/commit/d1ef3135aa02fa07de061e8c085f8cce425…
security-advisories@github.com
https://github.com/nautobot/nautobot/pull/8778
security-advisories@github.com
https://github.com/nautobot/nautobot/pull/8779
security-advisories@github.com
https://github.com/nautobot/nautobot/security/advisories/GHSA-xmpv-j7p2-j873
security-advisories@github.com