6.5
CVE-2023-46128
- EPSS 0.53%
- Veröffentlicht 25.10.2023 18:17:36
- Zuletzt bearbeitet 21.11.2024 08:27:56
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginExposure of hashed user passwords via REST API in Nautobot
Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Networktocode ≫ Nautobot Version >= 2.0.0 < 2.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.53% | 0.404 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-312 Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
https://github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d40d71
https://github.com/nautobot/nautobot/pull/4692
https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp