CVE-2024-23345 - OpenCVE

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Networktocode	Nautobot

Configuration 1 [-]

OR	cpe:2.3:a:networktocode:nautobot::::::::
	cpe:2.3:a:networktocode:nautobot::::::::

No data.

References

Link	Providers
https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80
https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce
https://github.com/nautobot/nautobot/pull/5133
https://github.com/nautobot/nautobot/pull/5134
https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-22T23:14:52.596Z

Updated: 2024-08-01T22:59:32.209Z

Reserved: 2024-01-15T15:19:19.445Z

Link: CVE-2024-23345

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-23T00:15:26.690

Modified: 2024-01-29T17:34:14.987

Link: CVE-2024-23345

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23345", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.445Z", "datePublished": "2024-01-22T23:14:52.596Z", "dateUpdated": "2024-08-01T22:59:32.209Z"}, "containers": {"cna": {"title": "Nautobot has XSS potential in rendered Markdown fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h"}, {"name": "https://github.com/nautobot/nautobot/pull/5133", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/pull/5133"}, {"name": "https://github.com/nautobot/nautobot/pull/5134", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/pull/5134"}, {"name": "https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80"}, {"name": "https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce", "tags": ["x_refsource_MISC"], "url": "https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce"}], "affected": [{"vendor": "nautobot", "product": "nautobot", "versions": [{"version": ">= 2.0.0, < 2.1.2", "status": "affected"}, {"version": "< 1.6.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T23:14:52.596Z"}, "descriptions": [{"lang": "en", "value": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2."}], "source": {"advisory": "GHSA-v4xv-795h-rv4h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.209Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h"}, {"name": "https://github.com/nautobot/nautobot/pull/5133", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nautobot/nautobot/pull/5133"}, {"name": "https://github.com/nautobot/nautobot/pull/5134", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nautobot/nautobot/pull/5134"}, {"name": "https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80"}, {"name": "https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B240ABD-D9C3-4C3F-969A-8D75BC9C0C13", "versionEndExcluding": "1.6.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*", "matchCriteriaId": "814D6EE3-ED3C-46D1-A5E9-6FF192CDE8B7", "versionEndExcluding": "2.1.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. This issue is fixed in Nautobot versions 1.6.10 and 2.1.2."}, {"lang": "es", "value": "Nautobot es una plataforma de automatizaci\u00f3n de redes y fuente de verdad de red creada como una aplicaci\u00f3n web. Todos los usuarios de versiones de Nautobot anteriores a 1.6.10 o 2.1.2 se ven potencialmente afectados por una vulnerabilidad de cross-site scripting. Debido a una sanitizaci\u00f3n de entrada inadecuada, cualquier campo editable por el usuario que admita la representaci\u00f3n de Markdown, incluido el mismo, es potencialmente susceptible a ataques de cross-site scripting (XSS) a trav\u00e9s de datos creados con fines malintencionados. Este problema se solucion\u00f3 en las versiones 1.6.10 y 2.1.2 de Nautobot."}], "id": "CVE-2024-23345", "lastModified": "2024-01-29T17:34:14.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-23T00:15:26.690", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/commit/17effcbe84a72150c82b138565c311bbee357e80"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/commit/64312a4297b5ca49b6cdedf477e41e8e4fd61cce"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/pull/5133"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nautobot/nautobot/pull/5134"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-v4xv-795h-rv4h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}