-
Notifications
You must be signed in to change notification settings - Fork 85
Expand file tree
/
Copy pathPYSEC-2023-286.yaml
More file actions
137 lines (137 loc) · 3.35 KB
/
PYSEC-2023-286.yaml
File metadata and controls
137 lines (137 loc) · 3.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
id: PYSEC-2023-286
modified: 2024-11-21T14:22:55.664554Z
published: 2023-12-12T23:15:00Z
aliases:
- CVE-2023-50263
- GHSA-75mc-3pjc-727q
details: "Nautobot is a Network Source of Truth and Network Automation Platform built
as a web application atop the Django Python framework with a PostgreSQL or MySQL
database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...`
and `/files/download/?name=...` are used to provide admin access to files that have
been uploaded as part of a run request for a Job that has FileVar inputs. Under
normal operation these files are ephemeral and are deleted once the Job in question
runs. \n\nIn the default implementation used in Nautobot, as provided by `django-db-file-storage`,
these URLs do not by default require any user authentication to access; they should
instead be restricted to only users who have permissions to view Nautobot's `FileProxy`
model instances.\n\nNote that no URL mechanism is provided for listing or traversal
of the available file `name` values, so in practice an unauthenticated user would
have to guess names to discover arbitrary files for download, but if a user knows
the file name/path value, they can access it without authenticating, so we are considering
this a vulnerability.\n\nFixes are included in Nautobot 1.6.7 and Nautobot 2.0.6.
No known workarounds are available other than applying the patches included in those
versions."
affected:
- package:
ecosystem: PyPI
name: nautobot
purl: pkg:pypi/nautobot
ranges:
- type: GIT
events:
- introduced: "0"
- fixed: 458280c359a4833a20da294eaf4b8d55edc91cee
- fixed: 7c4cf3137f45f1541f09f2f6a7f8850cd3a2eaee
repo: https://github.com/nautobot/nautobot
- type: ECOSYSTEM
events:
- introduced: 1.1.0
- fixed: 1.6.7
- introduced: 2.0.0
- fixed: 2.0.6
versions:
- 1.1.0
- 1.1.1
- 1.1.2
- 1.1.3
- 1.1.4
- 1.1.5
- 1.1.6
- 1.2.0
- 1.2.1
- 1.2.10
- 1.2.11
- 1.2.2
- 1.2.3
- 1.2.4
- 1.2.5
- 1.2.6
- 1.2.7
- 1.2.8
- 1.2.9
- 1.3.0
- 1.3.1
- 1.3.10
- 1.3.2
- 1.3.3
- 1.3.4
- 1.3.5
- 1.3.6
- 1.3.7
- 1.3.8
- 1.3.9
- 1.4.0
- 1.4.1
- 1.4.10
- 1.4.2
- 1.4.3
- 1.4.4
- 1.4.5
- 1.4.7
- 1.4.8
- 1.4.9
- 1.5.0
- 1.5.1
- 1.5.10
- 1.5.11
- 1.5.12
- 1.5.13
- 1.5.14
- 1.5.15
- 1.5.16
- 1.5.17
- 1.5.18
- 1.5.19
- 1.5.2
- 1.5.20
- 1.5.21
- 1.5.22
- 1.5.23
- 1.5.24
- 1.5.3
- 1.5.4
- 1.5.5
- 1.5.6
- 1.5.7
- 1.5.8
- 1.5.9
- 1.6.0
- 1.6.1
- 1.6.2
- 1.6.3
- 1.6.4
- 1.6.5
- 1.6.6
- 2.0.0
- 2.0.1
- 2.0.2
- 2.0.3
- 2.0.4
- 2.0.5
severity:
- type: CVSS_V3
score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
references:
- type: FIX
url: https://github.com/nautobot/nautobot/security/advisories/GHSA-75mc-3pjc-727q
- type: ADVISORY
url: https://github.com/nautobot/nautobot/security/advisories/GHSA-75mc-3pjc-727q
- type: FIX
url: https://github.com/nautobot/nautobot/pull/4959
- type: FIX
url: https://github.com/nautobot/nautobot/pull/4964
- type: FIX
url: https://github.com/nautobot/nautobot/commit/458280c359a4833a20da294eaf4b8d55edc91cee
- type: FIX
url: https://github.com/nautobot/nautobot/commit/7c4cf3137f45f1541f09f2f6a7f8850cd3a2eaee
- type: WEB
url: https://github.com/victor-o-silva/db_file_storage/blob/master/db_file_storage/views.py