{"id":"PYSEC-2023-287","details":"Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have permission to run Jobs in general). Object-level permissions (i.e., does the user have permission to run this specific Job?) are not enforced by the URL/view used in this case. A user with permissions to run even a single Job can actually run all configured JobButton Jobs. Fix will be available in Nautobot 1.6.8 and 2.1.0 ","aliases":["CVE-2023-51649","GHSA-vf5m-xrhm-v999"],"modified":"2024-11-21T14:59:27.289162Z","published":"2023-12-22T17:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/nautobot/nautobot/security/advisories/GHSA-vf5m-xrhm-v999"},{"type":"REPORT","url":"https://github.com/nautobot/nautobot/issues/4988"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/pull/4993"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/pull/4995"}],"affected":[{"package":{"name":"nautobot","ecosystem":"PyPI","purl":"pkg:pypi/nautobot"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.1.0"},{"introduced":"1.5.14"},{"fixed":"1.6.8"}]}],"versions":["1.5.14","1.5.15","1.5.16","1.5.17","1.5.18","1.5.19","1.5.20","1.5.21","1.5.22","1.5.23","1.5.24","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.1.0b1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/nautobot/PYSEC-2023-287.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}]}