GHSA-jxgr-gcj5-cqqg
- Source
- https://github.com/advisories/GHSA-jxgr-gcj5-cqqg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-jxgr-gcj5-cqqg/GHSA-jxgr-gcj5-cqqg.json
- Aliases
- Published
- 2024-05-01T09:36:35Z
- Modified
- 2024-05-01T13:26:49.126689Z
- Summary
- nautobot has reflected Cross-site Scripting potential in all object list views
- Details
-
Impact
It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting (Reflected XSS) attack against users. All filterable object-list views in Nautobot are vulnerable, including:
- /dcim/location-types/
- /dcim/locations/
- /dcim/racks/
- /dcim/rack-groups/
- /dcim/rack-reservations/
- /dcim/rack-elevations/
- /tenancy/tenants/
- /tenancy/tenant-groups/
- /extras/tags/
- /extras/statuses/
- /extras/roles/
- /extras/dynamic-groups/
- /dcim/devices/
- /dcim/platforms/
- /dcim/virtual-chassis/
- /dcim/device-redundancy-groups/
- /dcim/interface-redundancy-groups/
- /dcim/device-types/
- /dcim/manufacturers/
- /dcim/cables/
- /dcim/console-connections/
- /dcim/power-connections/
- /dcim/interface-connections/
- /dcim/interfaces/
- /dcim/front-ports/
- /dcim/rear-ports/
- /dcim/console-ports/
- /dcim/console-server-ports/
- /dcim/power-ports/
- /dcim/power-outlets/
- /dcim/device-bays/
- /dcim/inventory-items/
- /ipam/ip-addresses/
- /ipam/prefixes
- /ipam/rirs/
- /ipam/namespaces/
- /ipam/vrfs/
- /ipam/route-targets/
- /ipam/vlans/
- /ipam/vlan-groups/
- /ipam/services/
- /virtualization/virtual-machines/
- /virtualization/interfaces/
- /virtualization/clusters/
- /virtualization/cluster-types/
- /virtualization/cluster-groups/
- /circuits/circuits/
- /circuits/circuit-types/
- /circuits/providers/
- /circuits/provider-networks/
- /dcim/power-feeds/
- /dcim/power-panels/
- /extras/secrets/
- /extras/secrets-groups/
- /extras/jobs/
- /extras/jobs/scheduled-jobs/approval-queue/
- /extras/jobs/scheduled-jobs/
- /extras/job-results/
- /extras/job-hooks/
- /extras/job-buttons/
- /extras/object-changes/
- /extras/git-repositories/
- /extras/graphql-queries/
- /extras/relationships/
- /extras/notes/
- /extras/config-contexts/
- /extras/config-context-schemas/
- /extras/export-templates/
- /extras/external-integrations/
- /extras/webhooks/
- /extras/computed-fields/
- /extras/custom-fields/
- /extras/custom-links/
as well as any similar object-list views provided by any Nautobot App.
Patches
Fixed in Nautobot 1.6.20 and 2.2.3.
Workarounds
No workaround has been identified
References
- #5646
- #5647
Credit to Michael Panorios for reporting this issue.
- References
-
- https://github.com/nautobot/nautobot/security/advisories/GHSA-jxgr-gcj5-cqqg
- https://nvd.nist.gov/vuln/detail/CVE-2024-32979
- https://github.com/nautobot/nautobot/pull/5646
- https://github.com/nautobot/nautobot/pull/5647
- https://github.com/nautobot/nautobot/commit/2ea5797ea43646d5d8b29433e4c707b5a9758146
- https://github.com/nautobot/nautobot/commit/42440ebd9b381534ad89d62420ebea00d703d64e
- https://github.com/nautobot/nautobot
- https://github.com/nautobot/nautobot/releases/tag/v1.6.20
- https://github.com/nautobot/nautobot/releases/tag/v2.2.3
Affected packages
PyPI / nautobot
Package
- Name
- nautobot
Affected versions
1.*
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.5.12
1.5.13
1.5.14
1.5.15
1.5.16
1.5.17
1.5.18
1.5.19
1.5.20
1.5.21
1.5.22
1.5.23
1.5.24
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.6.12
1.6.13
1.6.14
1.6.15
1.6.16
1.6.17
1.6.18
1.6.19
PyPI / nautobot
Package
- Name
- nautobot