Nautobot
CVE-2024-29199
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 pypi packages depend on nautobot (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.0.0.
DescriptionNVD
Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.
AnalysisAI
Nautobot is a Network Source of Truth and Network Automation Platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9. Affected products include: Networktocode Nautobot.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL
Nautobot is a Network Source of Truth and Network Automation Platform. Rated critical severity (CVSS 9.8), this vulnerab
Nautobot is a Network Source of Truth and Network Automation Platform. Rated medium severity (CVSS 4.8), this vulnerabil
A remote code execution vulnerability in Nautobot (CVSS 7.1). High severity vulnerability requiring prompt remediation.
Nautobot is a Network Source of Truth and Network Automation Platform. Rated medium severity (CVSS 6.5), this vulnerabil
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. Rated medium severity
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot v
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today