CVE-2023-48700: 
Python vulnerability analysis and mitigation

The Nautobot Device Onboarding plugin (versions 2.0.0 to 3.0.0) contains a vulnerability where credentials provided to onboarding tasks are exposed in clear text via Job Results. The vulnerability was discovered and disclosed on November 21, 2023, affecting installations using the plugin for device onboarding into Nautobot. This issue specifically impacts instances where credentials are specified during OnboardingTask creation while using versions 2.0.0-2.0.2 (GitHub Advisory).

The vulnerability (CVE-2023-48700) allows visibility of clear text credentials through the Job Results view under the Additional Data tab, where they appear as args for the Celery Task execution. The issue has a CVSS v3.1 base score of 6.5 (Medium) according to NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability does not affect installations using NAPALM_USERNAME & NAPALM_PASSWORD from nautobot_config.py or versions prior to 2.0.0 (GitHub Advisory).

The exposure of clear text credentials in Job Results poses a significant security risk as it could allow unauthorized access to sensitive authentication information. This could potentially lead to unauthorized access to network devices if the exposed credentials are valid and not rotated (GitHub Advisory).

The vulnerability has been patched in version 3.0.0. Recommended mitigation steps include: 1) Deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, 2) Upgrading to v3.0.0, and 3) Rotating any exposed credentials. There are no known workarounds for this vulnerability other than implementing the recommended fixes (GitHub Advisory).