CVE-2023-46128 MEDIUM

CVE-2023-46128: Exposure of hashed user passwords via REST API in Nautobot

Vendor Nautobot

Product nautobot

Weakness CWE-200 · Info exposure

Published October 24, 2023

Last update September 11, 2024

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.

Key dates

02Disclosure timeline

October 24, 2023 CVE published

September 11, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-46128 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2023-46128: Exposure of hashed user passwords via REST API in Nautobot

01Description

02Disclosure timeline

03References

04Related CVE