CVE-2024-34707

Nautobot's BANNER_* configuration can be used to inject arbitrary HTML content into Nautobot pages

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to provide custom banner text at the top and bottom of all Nautobot web pages (or specifically on the login page in the case of `BANNER_LOGIN`) but it was reported that an admin user can make use of these settings to inject arbitrary HTML, potentially exposing Nautobot users to security issues such as cross-site scripting (stored XSS). The vulnerability is fixed in Nautobot 1.6.22 and 2.2.4.

Nautobot es una plataforma de automatización de redes y fuente de verdad de red. Un usuario de Nautobot con privilegios de administrador puede modificar los ajustes de configuración `BANNER_TOP`, `BANNER_BOTTOM` y `BANNER_LOGIN` a través del endpoint `/admin/constance/config/`. Normalmente, estas configuraciones se usan para proporcionar texto de banner personalizado en la parte superior e inferior de todas las páginas web de Nautobot (o específicamente en la página de inicio de sesión en el caso de `BANNER_LOGIN`), pero se informó que un usuario administrador puede hacer uso de estas configuraciones para inyectar HTML arbitrario, exponiendo potencialmente a los usuarios de Nautobot a problemas de seguridad como Cross Site Scripting (XSS almacenados). La vulnerabilidad está solucionada en Nautobot 1.6.22 y 2.2.4.

*Credits: N/A

CVSS Scores

GitHubv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-07 CVE Reserved
2024-05-13 CVE Published
2024-05-14 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (5)

URL	Tag	Source
https://github.com/nautobot/nautobot/commit/4f0a66bd6307bfe0e0acb899233e0d4ad516f51c	X_refsource_misc
https://github.com/nautobot/nautobot/commit/f640aedc69c848d3d1be57f0300fc40033ff6423	X_refsource_misc
https://github.com/nautobot/nautobot/pull/5697	X_refsource_misc
https://github.com/nautobot/nautobot/pull/5698	X_refsource_misc
https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hr-4v48-fjv3	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nautobot Search vendor "Nautobot"		Nautobot Search vendor "Nautobot" for product "Nautobot"				< 1.6.22 Search vendor "Nautobot" for product "Nautobot" and version " < 1.6.22"		en		Affected
Nautobot Search vendor "Nautobot"		Nautobot Search vendor "Nautobot" for product "Nautobot"				>= 2.0.0 < 2.2.4 Search vendor "Nautobot" for product "Nautobot" and version " >= 2.0.0 < 2.2.4"		en		Affected