{ "schema_version": "1.4.0", "id": "GHSA-vf5m-xrhm-v999", "modified": "2024-11-22T18:15:15Z", "published": "2023-12-22T19:51:53Z", "aliases": [ "CVE-2023-51649" ], "summary": "Nautobot missing object-level permissions enforcement when running Job Buttons", "details": "### Impact\n\nWhen submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general?). Object-level permissions (i.e., does the user have permission to run this *specific* Job?) are not enforced by the URL/view used in this case (`/extras/job-button//run/`) The effect is that a user with permissions to run even a single Job can actually run all configured JobButton Jobs.\n\n> Not all Jobs can be configured as JobButtons; only those implemented as subclasses of `JobButtonReceiver` can be used in this way, so this vulnerability only applies specifically to `JobButtonReceiver` subclasses.\n\nAdditionally, although the documentation states that both `extras.run_job` permission and `extras.run_jobbutton` permission must be granted to a user in order to run Jobs via JobButton, the `extras.run_jobbutton` permission is not actually enforced by the view code, only by the UI by disabling the button from being clicked normally. Furthermore, the `extras.run_jobbutton` permission never prevented invoking Jobs (including `JobButtonReceiver` subclasses) via the normal \"Job Run\" UI, so after some discussion, we've decided that the `extras.run_jobbutton` permission is redundant, and as it never achieved its stated/documented purpose, the fixes below will remove the UI check for `extras.run_jobbutton` and all other references to the `extras.run_jobbutton` permission, rather than adding enforcement of this previously unenforced permission.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nFix will be available in Nautobot 1.6.8 (https://github.com/nautobot/nautobot/pull/4995) and 2.1.0 (https://github.com/nautobot/nautobot/pull/4993)\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nPartial mitigation can be achieved by auditing `JobButtonReceiver` subclasses defined in the system and restricting which users are permitted to create or edit JobButton records. \n\n### References\n\n- https://github.com/nautobot/nautobot/issues/4988\n- https://github.com/nautobot/nautobot/pull/4993\n- https://github.com/nautobot/nautobot/pull/4995\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "nautobot" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.5.14" }, { "fixed": "1.6.8" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "nautobot" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.1.0" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51649" }, { "type": "WEB", "url": "https://github.com/nautobot/nautobot/issues/4988" }, { "type": "WEB", "url": "https://github.com/nautobot/nautobot/pull/4993" }, { "type": "WEB", "url": "https://github.com/nautobot/nautobot/pull/4995" }, { "type": "WEB", "url": "https://github.com/nautobot/nautobot/commit/3d964f996f4926126c1d7853ca87b2ff475997a2" }, { "type": "WEB", "url": "https://github.com/nautobot/nautobot/commit/d33d0c15a36948c45244e5b5e10bc79b8e62de7f" }, { "type": "PACKAGE", "url": "https://github.com/nautobot/nautobot" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-287.yaml" } ], "database_specific": { "cwe_ids": [ "CWE-863" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-12-22T19:51:53Z", "nvd_published_at": "2023-12-22T17:15:10Z" } }