CVE-2024-29199 LOW

CVE-2024-29199: Unauthenticated views may expose information to anonymous users

Vendor Nautobot
Product nautobot
Weakness CWE-200 · Info exposure
Published March 26, 2024
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.

Key dates

02Disclosure timeline

March 26, 2024 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-9352 NousResearch hermes-agent Messaging Gateway local.py _make_run_env information disclosure CVE-2025-9461 diyhi bbs File Compression FilePackageManageAction.java information disclosure CVE-2026-28492 File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory CVE-2022-31066 Configuration API in EdgeXFoundry exposes message bus credentials to local unauthenticated users CVE-2023-34243 Windows user name disclosure in TGstation