Impact A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following: /api/graphql/ (1) /api/users/users/session/ (Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes are enabled on this Nautobot instance) /dcim/racks/<uuid:pk>/dynamic-groups/ (1) /dcim/devices/<uuid:pk>/dynamic-groups/ (1) /extras/job-results/<uuid:pk>/log-table/ /extras/secrets/provider/<str:provider_slug>/form/ (the only information exposed to an anonymous user is the fact that a secrets provider with the given slug (e.g. environment-variable or text-file) is supported by this Nautobot instance) /ipam/prefixes/<uuid:pk>/dynamic-groups/ (1) /ipam/ip-addresses/<uuid:pk>/dynamic-groups/ (1) /virtualization/clusters/<uuid:pk>/dynamic-groups/ (1) /virtualization/virtual-machines/<uuid:pk>/dynamic-groups/ (1) (1) These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. Of these endpoints, the only one that poses any significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration is /extras/job-results/<uuid:pk>/log-table/. This endpoint returns an HTML table containing all of the logs associated with the specified JobResult; while…Read More
References
Back to Main