CVE-2024-36112 [Medium] | Security Vulnerability in Nautobot

Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` permission) can use the Dynamic Group detail UI view (`/extras/dynamic-groups/<uuid>/`) and/or the members REST API view (`/api/extras/dynamic-groups/<uuid>/members/`) to list the objects that are members of a given Dynamic Group. In versions of Nautobot between 1.3.0 (where the Dynamic Groups feature was added) and 1.6.22 inclusive, and 2.0.0 through 2.2.4 inclusive, Nautobot fails to restrict these listings based on the member object permissions - for example a Dynamic Group of Device objects will list all Devices that it contains, regardless of the user's `dcim.view_device` permissions or lack thereof. This issue has been fixed in Nautobot versions 1.6.23 and 2.2.5. Users are advised to upgrade. This vulnerability can be partially mitigated by removing `extras.view_dynamicgroup` permission from users however a full fix will require upgrading.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-10-17	0.11%	0.15%	+0.04%
2	2025-07-09	0.15%	0.11%	-0.04%
3	2025-07-07	—	0.15%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-10-17

0.11%

0.15%

+0.04%

2025-07-09

0.15%

0.11%

-0.04%

2025-07-07

—

0.15%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.3	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	1.8	4.0	[email protected]
6.5	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	2.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.3

3.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

1.8

4.0

[email protected]

6.5

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

2.8

3.6

[email protected]

Affected software / configurations for CVE-2024-36112

Vendor	Product	Version	Raw CPE
networktocode	nautobot	>= 1.3.0, < 1.6.23	cpe:2.3:a:networktocode:nautobot::::::::
networktocode	nautobot	>= 2.0.0, <= 2.2.5	cpe:2.3:a:networktocode:nautobot::::::::

References for CVE-2024-36112

URL	Tags
https://github.com/nautobot/nautobot/pull/5757	Patch
https://github.com/nautobot/nautobot/pull/5762	Patch
https://github.com/nautobot/nautobot/security/advisories/GHSA-qmjf-wc2h-6x3q	Third Party Advisory

URL

CVE-2024-36112 | Nautobot dynamic-group-members doesn't enforce permission restrictions on member objects

Exploit prediction scoring system (EPSS) score for CVE-2024-36112

Common vulnerability scoring system (CVSS) metrics for CVE-2024-36112

Weakness enumeration for CVE-2024-36112

GitHub Security Advisory for CVE-2024-36112

Affected software / configurations for CVE-2024-36112

References for CVE-2024-36112