CVE-2026-44798

描述

### Impact A user with access to add/change a GitRepository record could use the REST API to directly set the `current_head` field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified `branch` (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the `current_head` pointing to a nonexistent commit hash or malformed value. ### Patches The issue has been remediated in Nautobot v2.4.33 and 3.1.2. ### Workarounds Note that many of the same end-result symptoms could be caused by a user with the same level of access simply changing the `branch` or `remote_url` of a GitRepository rather than crafting the `current_head`. Administrators are encouraged to carefully review which users are granted permissions to create and modify GitRepository records. ### References - 2.4.33 (<a href="https://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609">patch</a>) - 3.1.2 (<a href="https://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3">patch</a>)

受影響套件(1)

• PyPI/nautobot>= 3.0.0a2, < 3.1.2

CVSS 分數

參考連結(6)

• PATCHhttps://github.com/nautobot/nautobot
• WEBhttps://github.com/nautobot/nautobot/commit/9deddfc91ad9260ad17b5e20084e9e2d15be3609
• WEBhttps://github.com/nautobot/nautobot/commit/c46f97040b2bde4320be36b23577f19a8bcbd8c3
• WEBhttps://github.com/nautobot/nautobot/releases/tag/v2.4.33
• WEBhttps://github.com/nautobot/nautobot/releases/tag/v3.1.2
• WEBhttps://github.com/nautobot/nautobot/security/advisories/GHSA-p3hx-pwf3-j8wr