Publish GHSA-535g-62r7-cx6v

advisory-database[bot] · advisory-database[bot] · commit 1a479425bbc5 · 2025-10-21T21:48:39.000Z
diff --git a/advisories/github-reviewed/2025/10/GHSA-535g-62r7-cx6v/GHSA-535g-62r7-cx6v.json b/advisories/github-reviewed/2025/10/GHSA-535g-62r7-cx6v/GHSA-535g-62r7-cx6v.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-535g-62r7-cx6v",
+  "modified": "2025-10-21T21:46:35Z",
+  "published": "2025-10-21T21:46:35Z",
+  "aliases": [
+    "CVE-2025-62607"
+  ],
+  "summary": "Nautobot Single Source of Truth (SSoT) has an unauthenticated ServiceNow configuration URL",
+  "details": "The servicenow config URL is using a generic django View with no authentication.\n\nURL: `/plugins/ssot/servicenow/config/`\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nAn Unauthenticated attacker could access this page to view the Service Now public instance name e.g. `companyname.service-now.com`. This is considered **low-value information**.  This does not expose the Secret, the Secret Name, or the Secret Value for the Username/Password for Service-Now.com. An unauthenticated member would not be able to change the instance name, nor set a Secret. There is not a way to gain access to other pages Nautobot through the unauthenticated Configuration page.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nWe highly recommend upgrading to SSoT v3.10.0 which includes this patch.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nDisable the servicenow SSoT integration",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "nautobot-ssot"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.10.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nautobot/nautobot-app-ssot/security/advisories/GHSA-535g-62r7-cx6v"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nautobot/nautobot-app-ssot/commit/1530d25cdeb929641ec47644f9a0a1d9d41e1cb8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nautobot/nautobot-app-ssot"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nautobot/nautobot-app-ssot/releases/tag/v3.10.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-21T21:46:35Z",
+    "nvd_published_at": null
+  }
+}
