Skip to content

Security Advisory: Insufficient authorization in NetBox 4.0 global search results

High
jeffgdotorg published GHSA-32w2-6gm2-7766 May 20, 2024

Package

NetBox

Affected versions

4.0.0, 4.0.1

Patched versions

4.0.2

Description

Summary

In default installs of NetBox v4.0.0 and v4.0.1, the global search feature allows an unauthenticated user to view a list of all the objects, and the values of those objects’ declared display attributes, bypassing permissions. Authenticated users with restricted permissions can also access a similar list of objects and attributes that they normally would normally be invisible to them.

Affected Products

  • NetBox v4.0.0
  • NetBox v4.0.1

Unaffected Products

  • Previous versions of NetBox (v3.7.8 and earlier) are unaffected.

Vulnerability Details

  • Description: The global search feature does not enforce model-level or object-level permissions when displaying the results to an unauthenticated user.
  • Attack Vector:
    • The NetBox web user interface is the only known vector.
    • The NetBox REST API is unaffected.

Impact

  • Severity Level: High (CVSS Score: 7.5)
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Potential Impact

  • An unauthenticated attacker can view cached object search results, revealing those objects' names and values included in the objects' display attributes list.
  • An authenticated user with restricted permissions can view cached object search results for restricted objects, revealing those objects’ names and values included in the objects’ display attributes list.

Mitigation and Workarounds

The risk of an unauthenticated attacker mounting this attack can be entirely mitigated by changing the value of the LOGIN_REQUIRED setting in the configuration.py file to True. The risk of an authenticated user mounting this attack cannot be mitigated except by upgrading to NetBox 4.0.2 or later.
Solution

NetBox 4.0.2 includes a fix for this vulnerability.

References

Contact Information

Disclaimer

This document is provided on an "as is" basis for informational purposes only and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. NetBox Labs reserves the right to change or update this document at any time.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

No known CVE

Weaknesses

Credits