Nautobot Password Validation Vulnerability in User Management via REST API

A vulnerability exists in Nautobot versions prior to 2.4.30 and 3.0.10, where the REST API for user creation and editing does not enforce password validation rules specified by Django's AUTH_PASSWORD_VALIDATORS setting. This oversight can lead to the creation or modification of user accounts with weak passwords that do not meet established standards. In contrast, password validation is correctly applied when managing users through the Nautobot admin UI.

Impact

Exploitation of this vulnerability could result in the creation or modification of user accounts with weak passwords that do not comply with configured standards, potentially leading to unauthorized access or actions within the application.

Reproduction

To reproduce this vulnerability, create or edit a user account via the Nautobot REST API while AUTH_PASSWORD_VALIDATORS is set to allow weak passwords. After the account is created or modified, the password validation rules will not have been applied, allowing for non-compliant passwords. This issue can be verified by checking the password strength against the configured validation rules. In contrast, performing the same actions through the Nautobot admin UI will correctly enforce the password validation, highlighting the discrepancy in how password rules are applied between the REST API and the admin interface.

Remediation

Users can update to Nautobot versions 2.4.30 or 3.0.10 to address this vulnerability. Additionally, it may be necessary to review and rotate passwords for accounts that could have been assigned weak passwords.