CVE-2023-48700

The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nautobot:nautobot-plugin-device-onboarding:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-11-21 23:15

Updated : 2023-11-30 17:07

NVD link : CVE-2023-48700

Mitre link : CVE-2023-48700

CVE.ORG link : CVE-2023-48700

JSON object : View

Products Affected

nautobot

nautobot-plugin-device-onboarding

CWE

CWE-256

Plaintext Storage of a Password

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2023-48700", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2023-11-21T23:15:08.307", "references": [{"url": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-256"}, {"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials."}, {"lang": "es", "value": "El complemento Nautobot Device Onboarding utiliza las librer\u00edas netmiko y NAPALM para simplificar el proceso de incorporaci\u00f3n de un nuevo dispositivo a Nautobot hasta, en muchos casos, una direcci\u00f3n IP y una ubicaci\u00f3n. A partir de la versi\u00f3n 2.0.0 y anteriores a la versi\u00f3n 3.0.0, las credenciales proporcionadas para la tarea de incorporaci\u00f3n son visibles a trav\u00e9s de los resultados del trabajo desde la ejecuci\u00f3n de una tarea de incorporaci\u00f3n. La versi\u00f3n 3.0.0 soluciona este problema; no hay workarounds conocidos disponibles. Las recomendaciones de mitigaci\u00f3n incluyen eliminar todos los resultados del trabajo para cualquier tarea de incorporaci\u00f3n para eliminar las credenciales de texto plano de las entradas de la base de datos que se ejecutaron en la versi\u00f3n 2.0.X, actualizar a la versi\u00f3n 3.0.0 y rotar las credenciales expuestas."}], "lastModified": "2023-11-30T17:07:35.870", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nautobot:nautobot-plugin-device-onboarding:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1974D38A-2A2A-4498-95A1-C9EB2137CB43", "versionEndExcluding": "3.0.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}