MEDIUM 4.3

PYSEC-2023-287

Details

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / nautobot

Introduced in: 1.5.14 Fixed in: 1.6.8

Fix pip install --upgrade 'nautobot>=1.6.8'

References

https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999 [FIX]
https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999 [ADVISORY]
https://github.com/nautobot/nautobot/issues/4988 [REPORT]
https://github.com/nautobot/nautobot/pull/4993 [REPORT]
https://github.com/nautobot/nautobot/pull/4993 [FIX]
https://github.com/nautobot/nautobot/pull/4995 [REPORT]
https://github.com/nautobot/nautobot/pull/4995 [FIX]