CVE-2023-45803

Advisory

Nautobot 2.0.3 upgrades the urllib3 dependency from version 2.0.6 to 2.0.7, following the discovery of a security vulnerability known as CVE-2023-45803.
https://github.com/nautobot/nautobot/pull/4671/commits/387d30432452dd622f5125fe3ccd23dd8045790d

Affected package

Affected versions

Fixed versions

Vulnerability changelog

What's Changed

Added

- [4612](https://github.com/nautobot/nautobot/issues/4612) - Added validation step to handle invalid/legacy filters from v1.x in DynamicGroup form validation.
- [4668](https://github.com/nautobot/nautobot/issues/4668) - Added an `ENABLE_ALPHA_UI` configuration option to the settings, which is initially set to False. When set to True, this option enables the "Alpha UI 2.0" feature.

Changed

- [4668](https://github.com/nautobot/nautobot/issues/4668) - Changed the flag `--no-build-ui` to `--build-ui`, and its default value to False for the `nautobot-server post-upgrade` command.

Fixed

- [4604](https://github.com/nautobot/nautobot/issues/4604) - Fixed `post_upgrade` bug involving potential left over references to Aggregate, DeviceRole, and RackRole ContentTypes in ObjectChange records.
- [4608](https://github.com/nautobot/nautobot/issues/4608) - Fixed error `'IPAddressBulkAddForm' has no field named 'parent'` when bulk creating IPs via UI.
- [4669](https://github.com/nautobot/nautobot/issues/4669) - Added redirects from 1.x documentation paths to their 2.x equivalents to fix broken links/bookmarks.
- [4676](https://github.com/nautobot/nautobot/issues/4676) - Ensured that `ScheduledJob.job_class` values are correctly transferred to `ScheduledJob.task` during v2 migration.
- [4692](https://github.com/nautobot/nautobot/issues/4692) - Fixed incorrect inheritance of `Meta` attributes into nested serializers (`depth >= 1`).

Housekeeping

- [4692](https://github.com/nautobot/nautobot/issues/4692) - Added check in REST API generic test cases to detect strings like `password` and `sha256` that shouldn't generally appear in REST API responses.

Security

- [4671](https://github.com/nautobot/nautobot/issues/4671) - Updated `urllib3` to 2.0.7 due to CVE-2023-45803. This is not a direct dependency so it will not auto-update when upgrading. Please be sure to upgrade your local environment.
- [4673](https://github.com/nautobot/nautobot/issues/4673) - Fixed token exposure in `JobResult` traceback and result output when a `GitRepositorySync` job fails in certain ways.
- [4692](https://github.com/nautobot/nautobot/issues/4692) - Fixed potential exposure of hashed user password data on certain REST API endpoints when using the `?depth=1` query parameter. For more details, please refer to [GHSA-r2hw-74xv-4gqp](https://github.com/nautobot/nautobot/security/advisories/GHSA-r2hw-74xv-4gqp).

Contributors

* glennmatthews
* timizuoebideri1
* bryanculver
* HanlinMiao
* dependabot
* jathanism

**Full Changelog**: https://github.com/nautobot/nautobot/compare/v2.0.2...v2.0.3

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45803