GHSA-qf3c-rw9f-jh7v
Vulnerability from github
Published
2023-11-21 23:50
Modified
2024-11-22 18:13
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Summary
Clear Text Credentials Exposed via Onboarding Task
Details

Impact

When credentials are provided while creating an OnboardingTask they may be visible via the Job Results view under the Additional Data tab as args for the Celery Task execution. This only applies to OnboardingTasks that are created with credentials specified while on v2.0.0-2.0.2 of Nautobot Device Onboarding. This advisory does not apply earlier version or when using NAPALM_USERNAME & NAPALM_PASSWORD from nautobot_config.py

Patches

v3.0.0

Workarounds

None

Recommendations

  • Delete all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X
  • Upgrade to v3.0.0
  • Rotate any exposed credential
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nautobot-device-onboarding"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-21T23:50:02Z",
    "nvd_published_at": "2023-11-21T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen credentials are provided while creating an OnboardingTask they may be visible via the Job Results view under the Additional Data tab as args for the Celery Task execution. This only applies to OnboardingTasks that are created with credentials specified while on v2.0.0-2.0.2 of Nautobot Device Onboarding. This advisory does not apply earlier version or when using NAPALM_USERNAME \u0026 NAPALM_PASSWORD from nautobot_config.py\n\n### Patches\nv3.0.0\n\n### Workarounds\nNone\n\n### Recommendations\n* Delete all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X\n* Upgrade to v3.0.0\n* Rotate any exposed credential\n",
  "id": "GHSA-qf3c-rw9f-jh7v",
  "modified": "2024-11-22T18:13:19Z",
  "published": "2023-11-21T23:50:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48700"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nautobot/nautobot-plugin-device-onboarding"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot-device-onboarding/PYSEC-2023-288.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Clear Text Credentials Exposed via Onboarding Task"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.