References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2.

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-862

https://github.com/nautobot/nautobot/commit/36cde7148a207234de6212ec074f321dbc9d1b5b

https://github.com/nautobot/nautobot/commit/9918bdb9bcf1eb42cda72c344f420a64ef7665f1

https://github.com/nautobot/nautobot/releases/tag/v2.4.33

https://github.com/nautobot/nautobot/releases/tag/v3.1.2

https://github.com/nautobot/nautobot/security/advisories/GHSA-wpxj-44w3-2j6x