Unauthorized Access to Nautobot Endpoints Due to Default Configuration
CVE-2024-29199

3.7LOW

Key Information:

Vendor

Nautobot

Status
Nautobot
Vendor
CVE Published:
26 March 2024

What is CVE-2024-29199?

Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.

Affected Version(s)

nautobot < 1.6.16 < 1.6.16

nautobot >= 2.0.0, < 2.1.9 < 2.0.0, 2.1.9

References

https://github.com/nautobot/nautobot/security/advisories/...
x_refsource_CONFIRM
https://github.com/nautobot/nautobot/pull/5464
x_refsource_MISC
https://github.com/nautobot/nautobot/pull/5465
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.