Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN347

_____________________________________________________________________

DATE                : 11/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Nautobot versions prior to
                                    1.6.32, 2.4.10.

=====================================================================
https://github.com/nautobot/nautobot/security/advisories/GHSA-rh67-4c8j-hjjh
https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx
_____________________________________________________________________

Uploaded media files are accessible without authentication
Moderate
glennmatthews published GHSA-rh67-4c8j-hjjh Jun 10, 2025

Package
nautobot (pip)

Affected versions
<1.6.32,<2.4.10

Patched versions
1.6.32,2.4.10


Description

Impact

Files uploaded by users to Nautobot's MEDIA_ROOT directory, including
DeviceType image attachments as well as images attached to a Location,
Device, or Rack, are served to users via a URL endpoint that was not
enforcing user authentication. As a consequence, such files can be
retrieved by anonymous users who know or can guess the correct URL for
a given file.

For DeviceType image attachments, a mitigating factor is that no URL
endpoint exists for listing the contents of the devicetype-images/
subdirectory, and the file names are as specified by the uploading
user, so any given DeviceType image attachment can only be retrieved
by correctly guessing its file name.

Similarly, for all other image attachments, while the images can be
listed by accessing the /api/extras/image-attachments/ endpoint as an
authenticated user only, absent that authenticated access, accessing
the files would again require guessing file names correctly.
Patches

Nautobot v2.4.10 and v1.6.32 will address this issue by adding
enforcement of Nautobot user authentication to this endpoint.
Workarounds

No workaround other than applying the patch given in #6672 (2.x)
or #6703 (1.6)


References

Are there any links users can visit to find out more?

    9c892dc
    d99a53b


Severity
Moderate
6.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity High
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality Low
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality Low
Integrity None
Availability None
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

CVE ID
CVE-2025-49143

Weaknesses
CWE-200

_____________________________________________________________________

Secrets exposure and data manipulation through Jinja2 templating
Moderate
glennmatthews published GHSA-wjw6-95h5-4jpx Jun 10, 2025

Package
nautobot (pip)

Affected versions
<1.6.32,<2.4.10

Patched versions
1.6.32,2.4.10


Description

Impact

What kind of vulnerability is it? Who is impacted?

All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32
are potentially affected.

Due to insufficient security configuration of the Jinja2 templating
feature used in computed fields, custom links, etc. in Nautobot:

    A malicious user could configure this feature set in ways that
could expose the value of Secrets defined in Nautobot when the
templated content is rendered.
    A malicious user could configure this feature set in ways that
could call Python APIs to modify data within Nautobot when the
templated content is rendered, bypassing the object permissions
assigned to the viewing user.


Patches

Has the problem been patched? What versions should users upgrade
to?

Nautobot versions 1.6.32 and 2.4.10 will include fixes for the
vulnerability.


Workarounds

Is there a way for users to fix or remediate the vulnerability
without upgrading?

The vulnerability can be partially mitigated by configuring
object permissions appropriately to limit the below actions to
only trusted users:

    extras.add_secret
    extras.change_secret
    extras.view_secret
    extras.add_computedfield
    extras.change_computedfield
    extras.add_customlink
    extras.change_customlink
    extras.add_jobbutton
    extras.change_jobbutton


References

Are there any links users can visit to find out more?

    https://jinja.palletsprojects.com/en/stable/sandbox/
    https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description
    #7417
    #7429

Severity
Moderate
6.0/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity High
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity Low
Availability None
Subsequent System Impact Metrics
Confidentiality Low
Integrity Low
Availability Low
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L

CVE ID
CVE-2025-49142

Weaknesses
CWE-1336


Credits

    @mzbroch mzbroch Finder



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================