CVE-2023-51649

Name of the Vulnerable Software and Affected Versions Nautobot versions prior to 1.6.8 Nautobot versions prior to 2.1.0

Description Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level extras.run job permission is checked. Object-level permissions are not enforced by the URL/view used in this case, specifically the /extras/job-button/<uuid>/run/ endpoint. The effect is that a user with permissions to run even a single Job can actually run all configured JobButton Jobs. This vulnerability only applies to JobButtonReceiver subclasses.

Recommendations For Nautobot versions prior to 1.6.8, upgrade to version 1.6.8 to resolve the issue. For Nautobot versions prior to 2.1.0, upgrade to version 2.1.0 to resolve the issue. As a temporary workaround, consider auditing JobButtonReceiver subclasses defined in the system and restricting which users are permitted to create or edit JobButton records.