Nautobot: Management of users via REST API does not apply configured password validators

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

弱口令要求

Nautobot 安全漏洞

Nautobot是Nautobot个人开发者的一个网络自动化平台。 Nautobot 2.4.30之前版本和3.0.10之前版本存在安全漏洞，该漏洞源于通过REST API创建和编辑用户时未能应用Django的AUTH_PASSWORD_VALIDATORS设置定义的密码验证规则，可能导致创建或修改的用户密码弱或不符配置标准。

N/A

N/A