Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Nautobot missing object-level permissions enforcement when running Job Buttons
Vulnerability Description
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L
Vulnerability Type
授权机制不正确
Vulnerability Title
Nautobot 安全漏洞
Vulnerability Description
Nautobot是Nautobot个人开发者的一个网络自动化平台。 Nautobot 1.5.14及之前版本存在安全漏洞,该漏洞源于当通过Job Button提交要运行的作业时,未检查对象级权限。
CVSS Information
N/A
Vulnerability Type
N/A