CVE-2023-50263: 
Python vulnerability analysis and mitigation

Nautobot, a Network Source of Truth and Network Automation Platform built on Django, was found to have a security vulnerability in versions 1.x and 2.0.x prior to 1.6.7 and 2.0.6. The vulnerability exists in the URLs /files/get/?name=... and /files/download/?name=... which are used to provide admin access to files uploaded as part of Job requests. The issue was discovered and reported by Kircheneer on December 12, 2023 (GitHub Advisory).

The vulnerability stems from the default implementation provided by django-db-file-storage, where the file access URLs do not require user authentication. While no URL mechanism exists for listing or traversing available file names, if a user knows the specific file name/path value, they can access it without authentication. The vulnerability has been assigned CVE-2023-50263 with a CVSS v3.1 base score of 3.7 (Low) and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue is classified under CWE-306 (Missing Authentication for Critical Function) by NIST and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) by GitHub (NVD).

The vulnerability could allow unauthorized users to access files that have been uploaded as part of Job requests with FileVar inputs. Although these files are typically ephemeral and are deleted once the Job runs, an attacker who knows the file name/path could potentially access sensitive information without proper authentication (GitHub Advisory).

The vulnerability has been fixed in Nautobot versions 1.6.7 and 2.0.6. For affected versions, there are no workarounds available other than applying the patches included in the security fixes. The patches implement proper authentication and object permissions enforcement on the DB file storage views (GitHub Advisory).