Abdikanipd

**Name of the Vulnerable Software and Affected Versions** Nautobot versions prior to 1.6.8 Nautobot versions prior to 2.1.0 **Description** Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run job` permission is checked. Object-level permissions are not enforced by the URL/view used in this case, specifically the `/extras/job-button/<uuid>/run/` endpoint. The effect is that a user with permissions to run even a single Job can actually run all configured JobButton Jobs. This vulnerability only applies to `JobButtonReceiver` subclasses. **Recommendations** For Nautobot versions prior to 1.6.8, upgrade to version 1.6.8 to resolve the issue. For Nautobot versions prior to 2.1.0, upgrade to version 2.1.0 to resolve the issue. As a temporary workaround, consider auditing `JobButtonReceiver` subclasses defined in the system and restricting which users are permitted to create or edit JobButton records.