Nautobot · Nautobot · CVE-2024-36112
**Name of the Vulnerable Software and Affected Versions**
Nautobot versions 1.3.0 through 1.6.22
Nautobot versions 2.0.0 through 2.2.4
**Description**
A user with `extras.view dynamicgroup` permission can use the Dynamic Group detail UI view (`/extras/dynamic-groups/<uuid>/`) and/or the members REST API view (`/api/extras/dynamic-groups/<uuid>/members/`) to list the objects that are members of a given Dynamic Group. Nautobot fails to restrict these listings based on the member object permissions, for example, a Dynamic Group of Device objects will list all Devices that it contains, regardless of the user's `dcim.view device` permissions or lack thereof.
**Recommendations**
For Nautobot versions 1.3.0 through 1.6.22, upgrade to version 1.6.23.
For Nautobot versions 2.0.0 through 2.2.4, upgrade to version 2.2.5.
As a temporary workaround, consider removing the `extras.view dynamicgroup` permission from users to partially mitigate the issue.