Nautobot User Authentication Bypass Vulnerability for Media Files

A vulnerability exists in Nautobot versions prior to 2.4.10 and 1.6.32, allowing anonymous users to access files uploaded to the MEDIA_ROOT directory without authentication. This includes DeviceType image attachments and images associated with Locations, Devices, or Racks. The vulnerability arises because the URL endpoint serving these files did not enforce user authentication, enabling unauthorized access to files by guessing or knowing the correct URLs.

Impact

The vulnerability allows unauthorized access to media files, which could include sensitive information or proprietary images, depending on the user's knowledge of the file names and URLs.

Reproduction

To reproduce this vulnerability, upload an image file to a Nautobot instance in the MEDIA_ROOT directory, either as a DeviceType image attachment or an image linked to a Location, Device, or Rack. Once the file is uploaded, it can be accessed via a URL that does not require authentication, provided the file name is known or can be guessed.

Remediation

Users can update to Nautobot versions 2.4.10 or 1.6.32, where this vulnerability has been patched by adding authentication requirements to the media file endpoint.