Any Information on remediation of CVE-2024-23780

[pwd-rh]

CVE-2024-23780 has been announced (see https://hazardlab.io/netbox-cve-2024-23780-writeup).
I did not find an issue open and am new to NetBox so I held off on opening the issue. Our use of NetBox
is behind a reverse proxy that requires authentication even to access NetBox so the issue is not one
that impacts us but it does not appear Hazardlab reported this issue to NetBox so I report it here.

[a084ed22]

Am I reading it right that the vulnerability requires the credentials or otherwise access to the system and the ability to add custom scripts? If that's the case, that would be yet another case of a cve mill.

[pwd-rh]

I am not sure, I don't work for Hazardlab but it looks like if you have access to the login (i.e. that the Netbox can be accessed
without logging in) As I said we put NetBox behind a (Authentik/Traefik) proxy with authentication only those that have logged in
can get to any of NetBox so we are good but others might not be so good. I wonder if Hazardlab even talked to NetBox.

[markkuleinio]

So, a user with permissions to add scripts is able to add scripts, is that it?

Sounds clickbait to me, the blog does not work and the images in linkedin were very unspecific about the actual problems.

But someone else feel free to comment.

[a084ed22]

I fail to see how their code accomplishes anything meaningful at all https://github.com/HazardLab-IO/CVE-2024-23780, so yes, it does feel clickbait and/or meaning to score a cve number rather than being an actual issue.

[jsenecal]

They basically omit to mention that to perform any of this you must have a user that is allowed to CREATE (and run) scripts to begin with.

for @pwd-rh , running netbox in containers (netbox-docker) completely destroys the CVE as the container cannot modify its own files nor access the root filesystem (unless configured otherwise).

The use-cases are well crafted but the attack surface would be nullified if the only users that have access to creating scripts also have access to the filesystem. Its just a matter of giving the right people the right permissions.

[pwd-rh]

Thanks for the review. Given that my co-founder (non-technical) found this a reply for the public might be a good idea.

[jeremystretch]

Nuisance CVE reports are becoming a more and more frequent problem in open source, unfortunately. People intent on farming reports (for clout, presumably) submit issues without any consideration for whether the behavior imposes an actual vulnerability. I highly recommend this article on the topic, which few people interested in addressing.