Summary
In default installs of NetBox v4.0.0 and v4.0.1, the global search feature allows an unauthenticated user to view a list of all the objects, and the values of those objects’ declared display attributes, bypassing permissions. Authenticated users with restricted permissions can also access a similar list of objects and attributes that they normally would normally be invisible to them.
Affected Products
- NetBox v4.0.0
- NetBox v4.0.1
Unaffected Products
- Previous versions of NetBox (v3.7.8 and earlier) are unaffected.
Vulnerability Details
- Description: The global search feature does not enforce model-level or object-level permissions when displaying the results to an unauthenticated user.
- Attack Vector:
- The NetBox web user interface is the only known vector.
- The NetBox REST API is unaffected.
Impact
- Severity Level: High (CVSS Score: 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Potential Impact
- An unauthenticated attacker can view cached object search results, revealing those objects' names and values included in the objects' display attributes list.
- An authenticated user with restricted permissions can view cached object search results for restricted objects, revealing those objects’ names and values included in the objects’ display attributes list.
Mitigation and Workarounds
The risk of an unauthenticated attacker mounting this attack can be entirely mitigated by changing the value of the LOGIN_REQUIRED setting in the configuration.py file to True. The risk of an authenticated user mounting this attack cannot be mitigated except by upgrading to NetBox 4.0.2 or later.
Solution
NetBox 4.0.2 includes a fix for this vulnerability.
-
Patch Information:
- Release packages are available from GitHub
- Docker images are available from DockerHub
-
Update Instructions:
References
Contact Information
- Support:
- Security Contact:
Disclaimer
This document is provided on an "as is" basis for informational purposes only and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. NetBox Labs reserves the right to change or update this document at any time.
Summary
In default installs of NetBox v4.0.0 and v4.0.1, the global search feature allows an unauthenticated user to view a list of all the objects, and the values of those objects’ declared display attributes, bypassing permissions. Authenticated users with restricted permissions can also access a similar list of objects and attributes that they normally would normally be invisible to them.
Affected Products
Unaffected Products
Vulnerability Details
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Potential Impact
Mitigation and Workarounds
The risk of an unauthenticated attacker mounting this attack can be entirely mitigated by changing the value of the LOGIN_REQUIRED setting in the configuration.py file to True. The risk of an authenticated user mounting this attack cannot be mitigated except by upgrading to NetBox 4.0.2 or later.
Solution
NetBox 4.0.2 includes a fix for this vulnerability.
Patch Information:
Update Instructions:
References
Contact Information
Disclaimer
This document is provided on an "as is" basis for informational purposes only and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. NetBox Labs reserves the right to change or update this document at any time.