CVE-2024-29199

Name of the Vulnerable Software and Affected Versions Nautobot versions prior to 1.6.16 Nautobot versions prior to 2.1.9

Description A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated users. These endpoints include "/api/graphql/", "/api/users/users/session/", "/dcim/racks/uuid:pk/dynamic-groups/", "/dcim/devices/uuid:pk/dynamic-groups/", "/extras/job-results/uuid:pk/log-table/", and others. The EXEMPT VIEW PERMISSIONS configuration variable can permit access to specific data by unauthenticated users if changed from its default value. The endpoint "/extras/job-results/uuid:pk/log-table/" poses a significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration.

Recommendations For versions prior to 1.6.16, update to version 1.6.16 or later to fix the issue. For versions prior to 2.1.9, update to version 2.1.9 or later to fix the issue. As a temporary workaround, consider reverting the EXEMPT VIEW PERMISSIONS configuration variable to its default value to prevent exposure of Nautobot information to unauthenticated users.