FKIE_CVE-2024-29199

Vulnerability from fkie_nvd - Published: 2024-03-26 03:15 - Updated: 2025-08-26 17:18
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9.
References
security-advisories@github.comhttps://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750Patch
security-advisories@github.comhttps://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfbPatch
security-advisories@github.comhttps://github.com/nautobot/nautobot/pull/5464Patch
security-advisories@github.comhttps://github.com/nautobot/nautobot/pull/5465Patch
security-advisories@github.comhttps://github.com/nautobot/nautobot/releases/tag/v1.6.16Release Notes
security-advisories@github.comhttps://github.com/nautobot/nautobot/releases/tag/v2.1.9Release Notes
security-advisories@github.comhttps://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfbPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/pull/5464Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/pull/5465Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/releases/tag/v1.6.16Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/releases/tag/v2.1.9Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4Third Party Advisory
Impacted products
Vendor Product Version
networktocode nautobot *
networktocode nautobot *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD69F21F-1300-4595-A1E9-B9893B324185",
              "versionEndExcluding": "1.6.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:networktocode:nautobot:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "70943FA5-2BC9-416F-AA8F-CB7F7C19671C",
              "versionEndExcluding": "2.1.9",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9."
    },
    {
      "lang": "es",
      "value": "Nautobot es una plataforma de automatizaci\u00f3n de redes y fuente de verdad de red. Se descubri\u00f3 que varios endpoints de URL de Nautobot no eran accesibles correctamente para usuarios no autenticados (an\u00f3nimos). Estos endpoints no revelar\u00e1n ning\u00fan dato de Nautobot a un usuario no autenticado a menos que la variable de configuraci\u00f3n de Nautobot EXEMPT_VIEW_PERMISSIONS se cambie de su valor predeterminado (una lista vac\u00eda) para permitir el acceso a datos espec\u00edficos por parte de usuarios no autenticados. Esta vulnerabilidad se solucion\u00f3 en 1.6.16 y 2.1.9."
    }
  ],
  "id": "CVE-2024-29199",
  "lastModified": "2025-08-26T17:18:09.650",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-03-26T03:15:13.707",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/pull/5464"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/pull/5465"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/pull/5464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nautobot/nautobot/pull/5465"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.