CVE-2023-48700
CVSS V2 None
CVSS V3 None
Description
The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials.
Overview
- CVE ID
- CVE-2023-48700
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2023-11-21T22:30:58.030Z
- Last Modified Date
- 2023-11-21T22:30:58.030Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v | x_refsource_CONFIRM |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-48700 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48700 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-25 00:19:11 | Added to TrackCVE |