Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/36592?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36592?format=api", "vulnerability_id": "VCID-vamd-bk63-gkh1", "summary": "Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords as stored in the database to any authenticated user with access to these endpoints. The passwords are not exposed in plaintext. This vulnerability has been patched in version 2.0.3.", "aliases": [ { "alias": "CVE-2023-46128" }, { "alias": "GHSA-r2hw-74xv-4gqp" }, { "alias": "PYSEC-2023-220" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37687?format=api", "purl": "pkg:pypi/nautobot@2.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d3uz-p963-6fay" }, { "vulnerability": "VCID-kjkb-625k-kudt" }, { "vulnerability": "VCID-qbp5-ry2r-hufh" }, { "vulnerability": "VCID-r31w-t9kj-kudc" }, { "vulnerability": "VCID-vr34-ms8k-zybv" }, { "vulnerability": "VCID-z4ux-pgu6-6kc9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.3" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37684?format=api", "purl": "pkg:pypi/nautobot@2.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d3uz-p963-6fay" }, { "vulnerability": "VCID-kjkb-625k-kudt" }, { "vulnerability": "VCID-qbp5-ry2r-hufh" }, { "vulnerability": "VCID-qdhy-2gqp-1kgj" }, { "vulnerability": "VCID-r31w-t9kj-kudc" }, { "vulnerability": "VCID-vamd-bk63-gkh1" }, { "vulnerability": "VCID-vr34-ms8k-zybv" }, { "vulnerability": "VCID-z4ux-pgu6-6kc9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/37685?format=api", "purl": "pkg:pypi/nautobot@2.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d3uz-p963-6fay" }, { "vulnerability": "VCID-kjkb-625k-kudt" }, { "vulnerability": "VCID-qbp5-ry2r-hufh" }, { "vulnerability": "VCID-r31w-t9kj-kudc" }, { "vulnerability": "VCID-vamd-bk63-gkh1" }, { "vulnerability": "VCID-vr34-ms8k-zybv" }, { "vulnerability": "VCID-z4ux-pgu6-6kc9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/37686?format=api", "purl": "pkg:pypi/nautobot@2.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d3uz-p963-6fay" }, { "vulnerability": "VCID-kjkb-625k-kudt" }, { "vulnerability": "VCID-qbp5-ry2r-hufh" }, { "vulnerability": "VCID-r31w-t9kj-kudc" }, { "vulnerability": "VCID-vamd-bk63-gkh1" }, { "vulnerability": "VCID-vr34-ms8k-zybv" }, { "vulnerability": "VCID-z4ux-pgu6-6kc9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.2" } ], "references": [ { "reference_url": "https://github.com/nautobot/nautobot", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/nautobot/nautobot" }, { "reference_url": "https://github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d40d71", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/nautobot/nautobot/commit/1ce8e5c658a075c29554d517cd453675e5d40d71" }, { "reference_url": "https://github.com/nautobot/nautobot/pull/4692", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/nautobot/nautobot/pull/4692" }, { "reference_url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-220.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nautobot/PYSEC-2023-220.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46128", "reference_id": "CVE-2023-46128", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46128" }, { "reference_url": "https://github.com/advisories/GHSA-r2hw-74xv-4gqp", "reference_id": "GHSA-r2hw-74xv-4gqp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r2hw-74xv-4gqp" } ], "weaknesses": [ { "cwe_id": 200, "name": "Exposure of Sensitive Information to an Unauthorized Actor", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information." }, { "cwe_id": 312, "name": "Cleartext Storage of Sensitive Information", "description": "The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere." }, { "cwe_id": 359, "name": "Exposure of Private Personal Information to an Unauthorized Actor", "description": "The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "6.5 - 6.5", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vamd-bk63-gkh1" }