CVE-2023-46128
Nautobot vulnerable to exposure of hashed user passwords via REST API
7.7
HIGH
CVSS 3.1
EPSS 0.21%
Description
Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.
How to fix CVE-2023-46128
To remediate CVE-2023-46128, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.3 or later
- —upgrade to 1ce8e5c658a075c29554d517cd453675e5d40d71 or later
Is CVE-2023-46128 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.0.0, < 2.0.3
- from 0, < 1ce8e5c658a075c29554d517cd453675e5d40d71 | >= 2.0.0, < 2.0.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |