Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/45308?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/45308?format=api", "purl": "pkg:pypi/nautobot@1.6.16", "type": "pypi", "namespace": "", "name": "nautobot", "version": "1.6.16", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.6.32", "latest_non_vulnerable_version": "3.1.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37079?format=api", "vulnerability_id": "VCID-vr34-ms8k-zybv", "summary": "Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered or that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user. Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability. The vulnerability can be partially mitigated by configuring object permissions appropriately to limit certain actions to only trusted users.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description" }, { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/7417", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/pull/7417" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/7429", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/pull/7429" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2025-74.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2025-74.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2025-79.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2025-79.yaml" }, { "reference_url": "https://jinja.palletsprojects.com/en/stable/sandbox", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://jinja.palletsprojects.com/en/stable/sandbox" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49142", "reference_id": "CVE-2025-49142", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49142" }, { "reference_url": "https://github.com/advisories/GHSA-wjw6-95h5-4jpx", "reference_id": "GHSA-wjw6-95h5-4jpx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wjw6-95h5-4jpx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45353?format=api", "purl": "pkg:pypi/nautobot@1.6.32", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@1.6.32" }, { "url": "http://public2.vulnerablecode.io/api/packages/45354?format=api", "purl": "pkg:pypi/nautobot@2.4.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.4.10" } ], "aliases": [ "CVE-2025-49142", "GHSA-wjw6-95h5-4jpx", "PYSEC-2025-74", "PYSEC-2025-79" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vr34-ms8k-zybv" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47349?format=api", "vulnerability_id": "VCID-qdhy-2gqp-1kgj", "summary": "Unauthenticated views may expose information to anonymous users\nA number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following:\n\n- `/api/graphql/` (1)\n- `/api/users/users/session/` (Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes are enabled on this Nautobot instance)\n- `/dcim/racks/<uuid:pk>/dynamic-groups/` (1)\n- `/dcim/devices/<uuid:pk>/dynamic-groups/` (1)\n- `/extras/job-results/<uuid:pk>/log-table/`\n- `/extras/secrets/provider/<str:provider_slug>/form/` (the only information exposed to an anonymous user is the fact that a secrets provider with the given slug (e.g. `environment-variable` or `text-file`) is supported by this Nautobot instance)\n- `/ipam/prefixes/<uuid:pk>/dynamic-groups/` (1)\n- `/ipam/ip-addresses/<uuid:pk>/dynamic-groups/` (1)\n- `/virtualization/clusters/<uuid:pk>/dynamic-groups/` (1)\n- `/virtualization/virtual-machines/<uuid:pk>/dynamic-groups/` (1)\n\n(1) These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable `EXEMPT_VIEW_PERMISSIONS` is changed from its default value (an empty list) to permit access to specific data by unauthenticated users.\n\nOf these endpoints, the only one that poses any significant risk of sensitive information disclosure under normal Nautobot operation with a default configuration is `/extras/job-results/<uuid:pk>/log-table/`. This endpoint returns an HTML table containing all of the logs associated with the specified JobResult; while these logs may contain sensitive information depending on the Jobs executed in Nautobot, this exposure is mitigated somewhat by the fact that any attacker would have to have prior knowledge of the existence of a JobResult with a particular UUID.\n\nIn the interest of full disclosure, the following additional endpoints were also accessible to anonymous users, but do not disclose any sensitive data when accessed (only a listing of other API endpoints).\n\n- `/api/`\n- `/api/circuits/`\n- `/api/dcim/`\n- `/api/extras/`\n- `/api/ipam/`\n- `/api/plugins/`\n- `/api/tenancy/`\n- `/api/users/`\n- `/api/virtualization/`\n\nAll of the above endpoints have been corrected to require user authentication, with the exception of `/api/users/users/session/` which is unused at this time and therefore has been simply removed from Nautobot 2.1.9. Additionally, we have added test automation which enumerates available Nautobot URL endpoints and verifies that appropriate authentication requirements are in place; this test was instrumental in identifying the above comprehensive list.", "references": [ { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/commit/2fd95c365f8477b26e06d60b999ddd36882d5750" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/commit/dd623e6c3307f48b6357fcc91925bcad5192abfb" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5464", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/pull/5464" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/5465", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/pull/5465" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v1.6.16" }, { "reference_url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/releases/tag/v2.1.9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29199", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29199" }, { "reference_url": "https://github.com/advisories/GHSA-m732-wvh2-7cq4", "reference_id": "GHSA-m732-wvh2-7cq4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m732-wvh2-7cq4" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4", "reference_id": "GHSA-m732-wvh2-7cq4", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-m732-wvh2-7cq4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/45308?format=api", "purl": "pkg:pypi/nautobot@1.6.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-vr34-ms8k-zybv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@1.6.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/41175?format=api", "purl": "pkg:pypi/nautobot@2.1.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-vr34-ms8k-zybv" }, { "vulnerability": "VCID-z4ux-pgu6-6kc9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.9" } ], "aliases": [ "CVE-2024-29199", "GHSA-m732-wvh2-7cq4" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qdhy-2gqp-1kgj" } ], "risk_score": "3.2", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@1.6.16" }