CVE-2023-48700 - Vulnerability Details

Vendors	Products
Nautobot	Nautobot-plugin-device-onboarding

Link	Providers
https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48700", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-17T19:43:37.553Z", "datePublished": "2023-11-21T22:30:58.030Z", "dateUpdated": "2024-08-02T21:37:54.443Z"}, "containers": {"cna": {"title": "Clear Text Credentials Exposed via Onboarding Task", "problemTypes": [{"descriptions": [{"cweId": "CWE-256", "lang": "en", "description": "CWE-256: Plaintext Storage of a Password", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-312", "lang": "en", "description": "CWE-312: Cleartext Storage of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v"}], "affected": [{"vendor": "nautobot", "product": "nautobot-plugin-device-onboarding", "versions": [{"version": ">= 2.0.0, < 3.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-21T22:30:58.030Z"}, "descriptions": [{"lang": "en", "value": "The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials."}], "source": {"advisory": "GHSA-qf3c-rw9f-jh7v", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:37:54.443Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nautobot:nautobot-plugin-device-onboarding:*:*:*:*:*:*:*:*", "matchCriteriaId": "1974D38A-2A2A-4498-95A1-C9EB2137CB43", "versionEndExcluding": "3.0.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials."}, {"lang": "es", "value": "El complemento Nautobot Device Onboarding utiliza las librer\u00edas netmiko y NAPALM para simplificar el proceso de incorporaci\u00f3n de un nuevo dispositivo a Nautobot hasta, en muchos casos, una direcci\u00f3n IP y una ubicaci\u00f3n. A partir de la versi\u00f3n 2.0.0 y anteriores a la versi\u00f3n 3.0.0, las credenciales proporcionadas para la tarea de incorporaci\u00f3n son visibles a trav\u00e9s de los resultados del trabajo desde la ejecuci\u00f3n de una tarea de incorporaci\u00f3n. La versi\u00f3n 3.0.0 soluciona este problema; no hay workarounds conocidos disponibles. Las recomendaciones de mitigaci\u00f3n incluyen eliminar todos los resultados del trabajo para cualquier tarea de incorporaci\u00f3n para eliminar las credenciales de texto plano de las entradas de la base de datos que se ejecutaron en la versi\u00f3n 2.0.X, actualizar a la versi\u00f3n 3.0.0 y rotar las credenciales expuestas."}], "id": "CVE-2023-48700", "lastModified": "2024-11-21T08:32:17.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-11-21T23:15:08.307", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-256"}, {"lang": "en", "value": "CWE-312"}], "source": "[email protected]", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object