CVE-2023-48700

Опубликовано: 21 нояб. 2023

Источник: nvd

CVSS3: 5.7

CVSS3: 6.5

EPSS Низкий

Описание

The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials.

Ссылки

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nautobot:nautobot-plugin-device-onboarding:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 3.0.0 (исключая)

EPSS

Процентиль: 36%

0.00149

Низкий

5.7 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-256

Связанные уязвимости

GHSA-qf3c-rw9f-jh7v

CVSS3: 5.7

github

около 2 лет назад

Clear Text Credentials Exposed via Onboarding Task

EPSS

Процентиль: 36%

0.00149

Низкий

5.7 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-256