Login Sign Up

CVE-2023-33796

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

A disputed vulnerability in Netbox v3.5.1 reportedly allows unauthenticated attackers to query the GraphQL database, potentially exposing sensitive data. The vendor disputes the severity, stating only public API schema queries were demonstrated. Organizations running affected Netbox versions should assess their exposure.

💻 Affected Systems

Products:
  • Netbox
Versions: v3.5.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Vendor disputes vulnerability exists in default configuration. Issue appears to be with GraphQL endpoint authentication.

📦 What is this software?

Netbox by Netbox

View all CVEs affecting Netbox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could extract all sensitive data from the database including credentials, configuration secrets, and network infrastructure details.

🟠

Likely Case

Limited information disclosure of public API schema data, with actual database object queries being blocked by existing authentication mechanisms.

🟢

If Mitigated

No impact if proper authentication and authorization controls are functioning correctly.

🌐 Internet-Facing: MEDIUM - Disputed vulnerability could expose data if misconfigured, but vendor claims proper authentication prevents actual exploitation.
🏢 Internal Only: LOW - Internal systems with proper network segmentation and authentication would limit exposure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Only demonstration shows querying public API schema. Vendor disputes ability to query actual database objects without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.5.2 and later

Vendor Advisory: https://github.com/netbox-community/netbox/discussions/12729

Restart Required: Yes

Instructions:

1. Backup Netbox configuration and database. 2. Update to Netbox v3.5.2 or later. 3. Restart Netbox services. 4. Verify GraphQL endpoint authentication.

🔧 Temporary Workarounds

Disable GraphQL endpoint

all

Temporarily disable GraphQL API if not required

Edit Netbox configuration to remove or comment GraphQL settings
Restart Netbox services

Restrict GraphQL access

all

Implement network-level restrictions to GraphQL endpoint

Configure firewall rules to restrict GraphQL endpoint access
Implement IP whitelisting for GraphQL API

🧯 If You Can't Patch

  • Implement strict network access controls to limit GraphQL endpoint exposure
  • Enable comprehensive authentication and audit logging for all GraphQL queries

🔍 How to Verify

Check if Vulnerable:

Check Netbox version: if running v3.5.1, test unauthenticated GraphQL queries to /graphql endpoint

Check Version:

python manage.py version

Verify Fix Applied:

Verify Netbox version is v3.5.2 or later and test that unauthenticated GraphQL queries return authentication errors

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated GraphQL queries in application logs
  • GraphQL query patterns from unexpected sources

Network Indicators:

  • HTTP requests to /graphql endpoint without authentication headers
  • Unusual GraphQL query patterns

SIEM Query:

source="netbox" AND (uri_path="/graphql" AND NOT auth_token=*)

📊 Metadata

CVE ID: CVE-2023-33796
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Published: May 24, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON