PT-2025-24686 · Nautobot · Nautobot
Glennmatthews
·
Published
2025-06-10
·
Updated
2025-08-21
·
CVE-2025-49143
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Nautobot versions prior to 2.4.10
Nautobot versions prior to 1.6.32
Description
The issue concerns Nautobot, a Network Source of Truth and Network Automation Platform. Files uploaded by users to Nautobot's MEDIA ROOT directory can be retrieved by anonymous users who know or can guess the correct URL for a given file, due to a lack of user authentication enforcement on the URL endpoint serving these files.
Recommendations
For versions prior to 2.4.10, update to version 2.4.10 or later to address the issue.
For versions prior to 1.6.32, update to version 1.6.32 or later to address the issue.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nautobot