PT-2023-30909 · Nautobot+2 · Nautobot Device Onboarding Plugin+2

Whitej6

Published

2023-11-21

Updated

2023-11-30

CVE-2023-48700

CVSS v3.1

5.7

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nautobot Device Onboarding plugin versions 2.0.0 through 2.0.2 Nautobot Device Onboarding plugin versions 2.0.0 through 2.0.x

Description The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot. Credentials provided to onboarding tasks are visible via Job Results from an execution of an Onboarding Task. This issue is fixed in version 3.0.0.

Recommendations For versions 2.0.0 through 2.0.2, delete all Job Results for any onboarding task to remove clear text credentials from database entries. For versions 2.0.0 through 2.0.x, upgrade to version 3.0.0. Rotate any exposed credentials.

Exploit

Fix

Information Disclosure

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-256CWE-200CWE-312

Related Identifiers

CVE-2023-48700

GHSA-QF3C-RW9F-JH7V

PYSEC-2023-288

Affected Products

Napalm

Nautobot Device Onboarding Plugin

Netmiko

PT-2023-30909 · Nautobot+2 · Nautobot Device Onboarding Plugin+2

CVE-2023-48700

Weakness Enumeration

Related Identifiers

Affected Products

References · 10