CVE-2023-51649: 
Python vulnerability analysis and mitigation

Nautobot, a Network Source of Truth and Network Automation Platform built on Django framework with PostgreSQL/MySQL database, contains a permission bypass vulnerability (CVE-2023-51649). When executing Jobs via Job Buttons, the system only verifies model-level extras.run_job permission but fails to enforce object-level permissions for specific Jobs. This vulnerability was discovered in December 2023 and affects versions from 1.5.14 up to (excluding) 1.6.8 and 2.1.0 (GitHub Advisory).

The vulnerability stems from insufficient permission checks in the JobButton execution flow. When a user submits a Job through a Job Button, the system only validates the model-level extras.run_job permission, which determines if the user can run Jobs in general. However, it fails to verify object-level permissions that should control access to specific Jobs. The vulnerability specifically affects Jobs implemented as subclasses of JobButtonReceiver. The CVSS v3.1 score is 3.5 (Low) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L (GitHub Advisory).

The vulnerability allows users with permission to run even a single Job to execute all configured JobButton Jobs in the system, regardless of their specific access permissions. This creates a potential privilege escalation scenario where users can perform actions beyond their intended access scope (GitHub Advisory).

The vulnerability has been patched in Nautobot versions 1.6.8 and 2.1.0. As a partial workaround before upgrading, administrators can audit JobButtonReceiver subclasses in their system and restrict which users are permitted to create or edit JobButton records. The fix removes the redundant extras.run_jobbutton permission check, as it was found to be ineffective in achieving its documented purpose (GitHub Advisory).