{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36797?format=json","vulnerability_id":"VCID-z4ux-pgu6-6kc9","summary":"Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` permission) can use the Dynamic Group detail UI view (`/extras/dynamic-groups/<uuid>/`) and/or the members REST API view (`/api/extras/dynamic-groups/<uuid>/members/`) to list the objects that are members of a given Dynamic Group. In versions of Nautobot between 1.3.0 (where the Dynamic Groups feature was added) and 1.6.22 inclusive, and 2.0.0 through 2.2.4 inclusive, Nautobot fails to restrict these listings based on the member object permissions - for example a Dynamic Group of Device objects will list all Devices that it contains, regardless of the user's `dcim.view_device` permissions or lack thereof. This issue has been fixed in Nautobot versions 1.6.23 and 2.2.5. Users are advised to upgrade. This vulnerability can be partially mitigated by removing `extras.view_dynamicgroup` permission from users however a full fix will require upgrading.","aliases":[{"alias":"CVE-2024-36112"},{"alias":"PYSEC-2024-166"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41187?format=json","purl":"pkg:pypi/nautobot@2.3.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.3.0b1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37684?format=json","purl":"pkg:pypi/nautobot@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-kjkb-625k-kudt"},{"vulnerability":"VCID-qbp5-ry2r-hufh"},{"vulnerability":"VCID-qdhy-2gqp-1kgj"},{"vulnerability":"VCID-r31w-t9kj-kudc"},{"vulnerability":"VCID-vamd-bk63-gkh1"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/37685?format=json","purl":"pkg:pypi/nautobot@2.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-kjkb-625k-kudt"},{"vulnerability":"VCID-qbp5-ry2r-hufh"},{"vulnerability":"VCID-r31w-t9kj-kudc"},{"vulnerability":"VCID-vamd-bk63-gkh1"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/37686?format=json","purl":"pkg:pypi/nautobot@2.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-kjkb-625k-kudt"},{"vulnerability":"VCID-qbp5-ry2r-hufh"},{"vulnerability":"VCID-r31w-t9kj-kudc"},{"vulnerability":"VCID-vamd-bk63-gkh1"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/37687?format=json","purl":"pkg:pypi/nautobot@2.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-kjkb-625k-kudt"},{"vulnerability":"VCID-qbp5-ry2r-hufh"},{"vulnerability":"VCID-r31w-t9kj-kudc"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/38133?format=json","purl":"pkg:pypi/nautobot@2.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-kjkb-625k-kudt"},{"vulnerability":"VCID-qbp5-ry2r-hufh"},{"vulnerability":"VCID-r31w-t9kj-kudc"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/38134?format=json","purl":"pkg:pypi/nautobot@2.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-kjkb-625k-kudt"},{"vulnerability":"VCID-qbp5-ry2r-hufh"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/38306?format=json","purl":"pkg:pypi/nautobot@2.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-kjkb-625k-kudt"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/38393?format=json","purl":"pkg:pypi/nautobot@2.1.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-kjkb-625k-kudt"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/38394?format=json","purl":"pkg:pypi/nautobot@2.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39128?format=json","purl":"pkg:pypi/nautobot@2.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-d3uz-p963-6fay"},{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/39129?format=json","purl":"pkg:pypi/nautobot@2.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/41169?format=json","purl":"pkg:pypi/nautobot@2.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/41170?format=json","purl":"pkg:pypi/nautobot@2.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/41171?format=json","purl":"pkg:pypi/nautobot@2.1.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.5"},{"url":"http://public2.vulnerablecode.io/api/packages/41172?format=json","purl":"pkg:pypi/nautobot@2.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.6"},{"url":"http://public2.vulnerablecode.io/api/packages/41173?format=json","purl":"pkg:pypi/nautobot@2.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.7"},{"url":"http://public2.vulnerablecode.io/api/packages/41174?format=json","purl":"pkg:pypi/nautobot@2.1.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.8"},{"url":"http://public2.vulnerablecode.io/api/packages/41175?format=json","purl":"pkg:pypi/nautobot@2.1.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/41176?format=json","purl":"pkg:pypi/nautobot@2.2.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/41177?format=json","purl":"pkg:pypi/nautobot@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41178?format=json","purl":"pkg:pypi/nautobot@2.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/41179?format=json","purl":"pkg:pypi/nautobot@2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/41180?format=json","purl":"pkg:pypi/nautobot@2.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/41181?format=json","purl":"pkg:pypi/nautobot@2.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/41182?format=json","purl":"pkg:pypi/nautobot@2.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.5"},{"url":"http://public2.vulnerablecode.io/api/packages/41183?format=json","purl":"pkg:pypi/nautobot@2.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/41184?format=json","purl":"pkg:pypi/nautobot@2.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.7"},{"url":"http://public2.vulnerablecode.io/api/packages/41185?format=json","purl":"pkg:pypi/nautobot@2.2.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/41186?format=json","purl":"pkg:pypi/nautobot@2.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vr34-ms8k-zybv"},{"vulnerability":"VCID-z4ux-pgu6-6kc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nautobot@2.2.9"}],"references":[{"reference_url":"https://github.com/nautobot/nautobot/pull/5757","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nautobot/nautobot/pull/5757"},{"reference_url":"https://github.com/nautobot/nautobot/pull/5762","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nautobot/nautobot/pull/5762"},{"reference_url":"https://github.com/nautobot/nautobot/security/advisories/GHSA-qmjf-wc2h-6x3q","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nautobot/nautobot/security/advisories/GHSA-qmjf-wc2h-6x3q"}],"weaknesses":[],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z4ux-pgu6-6kc9"}