Information disclosure in Nautobot - CVE-2024-29199
Published: March 25, 2024 / Updated: May 11, 2026
Nautobot
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in multiple URL endpoints when handling unauthenticated requests. A remote attacker can access improperly exposed endpoints to disclose sensitive information.
Access to the most sensitive exposed endpoint requires prior knowledge of a JobResult UUID. Some dynamic-group endpoints disclose Nautobot data only if the EXEMPT_VIEW_PERMISSIONS configuration is set to a non-default value.