CVE-2023-46128: 
Python vulnerability analysis and mitigation

Nautobot is a Network Automation Platform that experienced a security vulnerability (CVE-2023-46128) in version 2.0.x. The vulnerability allowed authenticated users to access hashed user passwords stored in the database through certain REST API endpoints when using the ?depth= query parameter. The issue was discovered and patched in version 2.0.3 (GitHub Advisory).

The vulnerability stems from incorrect inheritance of Meta attributes into nested serializers when using depth >= 1 in REST API calls. Affected endpoints include /api/dcim/rack-reservations/, /api/extras/job-results/, /api/extras/notes/, /api/extras/object-changes/, /api/extras/scheduled-jobs/, and /api/users/permissions/ when accessed with the ?depth=1 parameter. The vulnerability has a CVSS v3.1 base score of 6.5 MEDIUM (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) (GitHub Advisory).

The vulnerability exposes hashed user passwords stored in the database to any authenticated user with access to the affected REST API endpoints. While the passwords are not exposed in plaintext, access to password hashes could potentially be used in offline password cracking attempts (GitHub Advisory).

The vulnerability has been patched in Nautobot version 2.0.3. Users are strongly recommended to upgrade to this version or later. While it's possible to partially mitigate the issue by restricting access to the affected REST API endpoints, this is not recommended as other endpoints may also be vulnerable until patched (GitHub Advisory).