CVE-2023-51649
LOW3.5EPSS 0.10%Nautobot missing object-level permissions enforcement when running Job Buttons
Description
### Impact When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general?). Object-level permissions (i.e., does the user have permission to run this *specific* Job?) are not enforced by the URL/view used in this case (`/extras/job-button/<uuid>/run/`) The effect is that a user with permissions to run even a single Job can actually run all configured JobButton Jobs. > Not all Jobs can be configured as JobButtons; only those implemented as subclasses of `JobButtonReceiver` can be used in this way, so this vulnerability only applies specifically to `JobButtonReceiver` subclasses. Additionally, although the documentation states that both `extras.run_job` permission and `extras.run_jobbutton` permission must be granted to a user in order to run Jobs via JobButton, the `extras.run_jobbutton` permission is not actually enforced by the view code, only by the UI by disabling the button from being clicked normally. Furthermore, the `extras.run_jobbutton` permission never prevented invoking Jobs (including `JobButtonReceiver` subclasses) via the normal "Job Run" UI, so after some discussion, we've decided that the `extras.run_jobbutton` permission is redundant, and as it never achieved its stated/documented purpose, the fixes below will remove the UI check for `extras.run_jobbutton` and all other references to the `extras.run_jobbutton` permission, rather than adding enforcement of this previously unenforced permission. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Fix will be available in Nautobot 1.6.8 (https://github.com/nautobot/nautobot/pull/4995) and 2.1.0 (https://github.com/nautobot/nautobot/pull/4993) ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Partial mitigation can be achieved by auditing `JobButtonReceiver` subclasses defined in the system and restricting which users are permitted to create or edit JobButton records. ### References - https://github.com/nautobot/nautobot/issues/4988 - https://github.com/nautobot/nautobot/pull/4993 - https://github.com/nautobot/nautobot/pull/4995
Affected packages (2)
- PyPI/nautobot>= 1.5.14, < 1.6.8
- PyPI/nautobot>= 2.0.0, < 2.1.0, >= 1.5.14, < 1.6.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-51649
- PATCHhttps://github.com/nautobot/nautobot
- WEBhttps://github.com/nautobot/nautobot/commit/3d964f996f4926126c1d7853ca87b2ff475997a2
- WEBhttps://github.com/nautobot/nautobot/commit/d33d0c15a36948c45244e5b5e10bc79b8e62de7f
- WEBhttps://github.com/nautobot/nautobot/issues/4988
- WEBhttps://github.com/nautobot/nautobot/pull/4993
- WEBhttps://github.com/nautobot/nautobot/pull/4995
- WEBhttps://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-287.yaml