CVE-2023-48700

Clear Text Credentials Exposed via Onboarding Task

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials.

El complemento Nautobot Device Onboarding utiliza las librerías netmiko y NAPALM para simplificar el proceso de incorporación de un nuevo dispositivo a Nautobot hasta, en muchos casos, una dirección IP y una ubicación. A partir de la versión 2.0.0 y anteriores a la versión 3.0.0, las credenciales proporcionadas para la tarea de incorporación son visibles a través de los resultados del trabajo desde la ejecución de una tarea de incorporación. La versión 3.0.0 soluciona este problema; no hay workarounds conocidos disponibles. Las recomendaciones de mitigación incluyen eliminar todos los resultados del trabajo para cualquier tarea de incorporación para eliminar las credenciales de texto plano de las entradas de la base de datos que se ejecutaron en la versión 2.0.X, actualizar a la versión 3.0.0 y rotar las credenciales expuestas.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-17 CVE Reserved
2023-11-21 CVE Published
2024-08-02 CVE Updated
2024-10-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-256: Plaintext Storage of a Password
CWE-312: Cleartext Storage of Sensitive Information

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v	2023-11-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nautobot Search vendor "Nautobot"		Nautobot-plugin-device-onboarding Search vendor "Nautobot" for product "Nautobot-plugin-device-onboarding"				>= 2.0.0 < 3.0.0 Search vendor "Nautobot" for product "Nautobot-plugin-device-onboarding" and version " >= 2.0.0 < 3.0.0"		-		Affected