CVE-2023-50263

LOW3.7EPSS 0.45%

Unauthenticated db-file-storage views

Published: 12/13/2023Modified: 11/22/2024

Description

### Impact In Nautobot 1.x and 2.0.x, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job in question runs. It was reported by @kircheneer that in the default implementation used in Nautobot, as provided by `django-db-file-storage`, these URLs do not by default require any user authentication to access; they should instead be restricted to only users who have permissions to view Nautobot's `FileProxy` model instances. Note that no URL mechanism is provided for listing or traversal of the available file `name` values, so in practice an unauthenticated user would have to guess names to discover arbitrary files for download, but if a user knows the file name/path value, they can access it without authenticating, so we are considering this a vulnerability. ### Patches Fixes will be included in Nautobot 1.6.7 and Nautobot 2.0.6. ### Workarounds No workaround other than applying the patches included in https://github.com/nautobot/nautobot/pull/4959/files (2.0.x) or https://github.com/nautobot/nautobot/pull/4964/files (1.6.x) ### References - https://github.com/victor-o-silva/db_file_storage/blob/master/db_file_storage/views.py

Affected packages (2)

  • PyPI/nautobot>= 1.1.0, < 1.6.7
  • PyPI/nautobotfrom 0, < 458280c359a4833a20da294eaf4b8d55edc91cee, < 7c4cf3137f45f1541f09f2f6a7f8850cd3a2eaee | >= 2.0.0, < 2.0.6, >= 1.1.0, < 1.6.7

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1LOW3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (10)