GHSA-535g-62r7-cx6v

Source

https://github.com/advisories/GHSA-535g-62r7-cx6v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-535g-62r7-cx6v/GHSA-535g-62r7-cx6v.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-535g-62r7-cx6v

Aliases

CVE-2025-62607

Published

2025-10-21T21:46:35Z

Modified

2025-10-22T20:19:33.415839Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Nautobot Single Source of Truth (SSoT) has an unauthenticated ServiceNow configuration URL

Details

The servicenow config URL is using a generic django View with no authentication.

URL: /plugins/ssot/servicenow/config/

Impact

What kind of vulnerability is it? Who is impacted? An Unauthenticated attacker could access this page to view the Service Now public instance name e.g. companyname.service-now.com. This is considered low-value information. This does not expose the Secret, the Secret Name, or the Secret Value for the Username/Password for Service-Now.com. An unauthenticated member would not be able to change the instance name, nor set a Secret. There is not a way to gain access to other pages Nautobot through the unauthenticated Configuration page.

Patches

Has the problem been patched? What versions should users upgrade to? We highly recommend upgrading to SSoT v3.10.0 which includes this patch.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Disable the servicenow SSoT integration

Database specific

{
    "cwe_ids": [
        "CWE-306"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2025-10-22T16:15:45Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-21T21:46:35Z"
}

References

Affected packages

PyPI / nautobot-ssot

Package

Name: nautobot-ssot; View open source insights on deps.dev
Purl: pkg:pypi/nautobot-ssot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.10.0

Affected versions

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

2.*

2.0.0b1

2.0.0b2

2.0.0rc1

2.0.0rc2

2.0.0

2.0.1

2.0.2

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

2.6.1

2.7.0

2.8.0

2.8.1

3.*

3.0.0

3.0.1

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0

3.7.0

3.8.0

3.8.1

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-535g-62r7-cx6v/GHSA-535g-62r7-cx6v.json"