6.5

CVE-2023-48700

EPSS 0.19%
Veröffentlicht 21.11.2023 23:15:08
Zuletzt bearbeitet 21.11.2024 08:32:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nautobot ≫ Nautobot-plugin-device-onboarding Version >= 2.0.0 < 3.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.412

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	5.7	2.1	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE-256 Plaintext Storage of a Password

Storing a password in plaintext may result in a system compromise.

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-48700

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-48700

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-48700

EUVD