CVE-2023-48705 – Nautobot versions before 1.6.6 and 2.0.5 contai... (How to Fix)

Q: What is the severity of CVE-2023-48705?

CVE-2023-48705 has a CVSS score of 7.1 (HIGH). Nautobot versions before 1.6.6 and 2.0.5 contain a stored cross-site scripting vulnerability in user-authored content rendering. Users with permission to create/edit custom links, job buttons, or computed fields can inject malicious JavaScript that executes when other users view pages containing that content. All Nautobot deployments using affected versions are potentially vulnerable.

📋 TL;DR

Nautobot versions before 1.6.6 and 2.0.5 contain a stored cross-site scripting vulnerability in user-authored content rendering. Users with permission to create/edit custom links, job buttons, or computed fields can inject malicious JavaScript that executes when other users view pages containing that content. All Nautobot deployments using affected versions are potentially vulnerable.

💻 Affected Systems

Products:

Nautobot

Versions: All versions earlier than 1.6.6 (for 1.6.x LTM) and earlier than 2.0.5 (for 2.0.x)

Operating Systems: All platforms running Nautobot

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in Django template rendering for custom links, job buttons, and computed fields. Requires user with appropriate permissions to create/edit content.

📦 What is this software?

Nautobot by Networktocode

View all CVEs affecting Nautobot →

Nautobot by Networktocode

View all CVEs affecting Nautobot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged user with content creation permissions could inject malicious JavaScript that steals admin credentials, performs administrative actions, or compromises user sessions across the organization.

🟠

Likely Case

Malicious insider or compromised account with appropriate permissions could inject JavaScript to steal session cookies, redirect users to phishing sites, or perform unauthorized actions within the application.

🟢

If Mitigated

With proper object permissions restricting who can create/edit user-authored content, only trusted administrators could exploit this, limiting potential damage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with permissions to create/edit custom links, job buttons, or computed fields. The vulnerability is in template rendering logic, making exploitation straightforward for users with appropriate access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.6 for 1.6.x LTM, 2.0.5 for 2.0.x

Vendor Advisory: https://github.com/nautobot/nautobot/security/advisories

Restart Required: Yes

Instructions:

1. Backup your Nautobot database and configuration. 2. Stop Nautobot services. 3. Upgrade using pip: 'pip install nautobot==1.6.6' for 1.6.x or 'pip install nautobot==2.0.5' for 2.0.x. 4. Run database migrations: 'nautobot-server migrate'. 5. Restart Nautobot services.

🔧 Temporary Workarounds

Restrict Content Creation Permissions

all

Apply strict object permissions to limit which users can create/edit custom links, job buttons, and computed fields.

Configure via Nautobot admin interface: Admin > Permissions > Object Permissions

🧯 If You Can't Patch

Implement strict object permissions to limit content creation/edit capabilities to only essential administrators
Monitor audit logs for suspicious content creation/modification activities and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check Nautobot version: 'nautobot-server --version' or examine package version in Python environment

Check Version:

nautobot-server --version

Verify Fix Applied:

Verify version is 1.6.6 or higher (for 1.6.x) or 2.0.5 or higher (for 2.0.x) and test that user-authored content is properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual patterns in custom link/job button/computed field creation/modification
Multiple content creation events from single user in short timeframe

Network Indicators:

Unexpected JavaScript execution in Nautobot pages
External resource loading from Nautobot interface

SIEM Query:

source="nautobot" AND (event="create_customlink" OR event="modify_customlink" OR event="create_jobbutton" OR event="modify_jobbutton") | stats count by user

📊 Metadata

CVE ID: CVE-2023-48705

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L

CWE: CWE-79

Published: November 22, 2023

Last Updated: November 21, 2024

🔗 References

https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html Technical Description
https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.safestring.mark_safe Technical Description
https://github.com/nautobot/nautobot/commit/362850f5a94689a4c75e3188bf6de826c3b012b2 Patch
https://github.com/nautobot/nautobot/commit/54abe23331b6c3d0d82bf1b028c679b1d200920d Patch
https://github.com/nautobot/nautobot/pull/4832 Issue Tracking,Patch
https://github.com/nautobot/nautobot/pull/4833 Issue Tracking,Patch
https://github.com/nautobot/nautobot/security/advisories/GHSA-cf9f-wmhp-v4pr Vendor Advisory
https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.html.format_html Technical Description
https://docs.djangoproject.com/en/3.2/ref/utils/#django.utils.safestring.mark_safe Technical Description
https://github.com/nautobot/nautobot/commit/362850f5a94689a4c75e3188bf6de826c3b012b2 Patch
https://github.com/nautobot/nautobot/commit/54abe23331b6c3d0d82bf1b028c679b1d200920d Patch
https://github.com/nautobot/nautobot/pull/4832 Issue Tracking,Patch
https://github.com/nautobot/nautobot/pull/4833 Issue Tracking,Patch
https://github.com/nautobot/nautobot/security/advisories/GHSA-cf9f-wmhp-v4pr Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48705, you might also want to check these: