CVE-2024-36112

Name of the Vulnerable Software and Affected Versions Nautobot versions 1.3.0 through 1.6.22 Nautobot versions 2.0.0 through 2.2.4

Description A user with extras.view dynamicgroup permission can use the Dynamic Group detail UI view (/extras/dynamic-groups/<uuid>/) and/or the members REST API view (/api/extras/dynamic-groups/<uuid>/members/) to list the objects that are members of a given Dynamic Group. Nautobot fails to restrict these listings based on the member object permissions, for example, a Dynamic Group of Device objects will list all Devices that it contains, regardless of the user's dcim.view device permissions or lack thereof.

Recommendations For Nautobot versions 1.3.0 through 1.6.22, upgrade to version 1.6.23. For Nautobot versions 2.0.0 through 2.2.4, upgrade to version 2.2.5. As a temporary workaround, consider removing the extras.view dynamicgroup permission from users to partially mitigate the issue.