SCA: security update for nautobot-device-onboarding (GHSA-qf3c-rw9f-jh7v)

medium Tenable Self-Hosted Container Security Plugin ID 418080

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding
process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in
version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job
Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are
available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove
clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and
rotating any exposed credentials. (CVE-2023-48700)

See Also

https://github.com/advisories/GHSA-qf3c-rw9f-jh7v

Plugin Details

Severity: Medium

ID: 418080

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-48700

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/21/2023

Vulnerability Publication Date: 11/21/2023

Reference Information

CVE: CVE-2023-48700