CVE-2023-46128

Name of the Vulnerable Software and Affected Versions Nautobot versions 2.0.0 through 2.0.2

Description The issue concerns the exposure of hashed user passwords in Nautobot's REST API endpoints when the ?depth=<N> query parameter is used. This affects any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. Known impacted endpoints include /api/dcim/rack-reservations/, /api/extras/job-results/, /api/extras/notes/, /api/extras/object-changes/, /api/extras/scheduled-jobs/, and /api/users/permissions/, among others, when an appropriate ?depth=<N> query parameter is specified.

Recommendations To resolve the issue, upgrade to Nautobot version 2.0.3 or later. As a temporary workaround, consider restricting access to the impacted REST API endpoints, although this is not recommended as other endpoints may also expose this issue until patched.