CVE-2023-50263
Published: 12 December 2023
Summary
CVE-2023-50263 is a low-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Networktocode Nautobot. Its CVSS base score is 3.7 (Low).
Operationally, ranked in the top 36.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0180
Vulnerability details
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...`…
more
and `/files/download/?name=...` are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job in question runs. In the default implementation used in Nautobot, as provided by `django-db-file-storage`, these URLs do not by default require any user authentication to access; they should instead be restricted to only users who have permissions to view Nautobot's `FileProxy` model instances. Note that no URL mechanism is provided for listing or traversal of the available file `name` values, so in practice an unauthenticated user would have to guess names to discover arbitrary files for download, but if a user knows the file name/path value, they can access it without authenticating, so we are considering this a vulnerability. Fixes are included in Nautobot 1.6.7 and Nautobot 2.0.6. No known workarounds are available other than applying the patches included in those versions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.
Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.
Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.
Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.
Requires authentication gates on critical functions that must remain unavailable to anonymous public users.
Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.
Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.