The first maintenance release of the 5.13 series of NAV is now out, and contains a security patch for a serious privilege escalation vulnerability in the web GUI. We recommend that all users upgrade as soon as possible.
The source code is available for download at GitHub [1].
New packages for Debian 12 (Bookworm) and 11 (Bullseye) are available in our APT repository.
Security ========
- Lock down API access for unprivileged users
By default, NAV granted full API access to logged-in users, regardless of their configured privilege level. This would give unprivileged users access to manipulate NAV configuration and even elevate their own user privileges to administrator level. Read the full security advisory at https://github.com/Uninett/nav/security/advisories/GHSA-gprr-5vvf-582g
Changed =======
- Update NAPALM dependency to 5.0 to keep NAV web GUI working (#2358)
Fixed =====
- Fix filtering of 'Last seen' and sorting by 'Last active' in netbox interfaces view in room info (#3329)
Release notes =============
We always advise you to have a look at NAV’s accompanying release notes before upgrading.
Happy NAVing everyone!
Links =====
[1] https://github.com/Uninett/nav/releases [2] https://nav.uninett.no/install-instructions/#debian [3] https://nav.readthedocs.io/en/latest/release-notes.html#nav-5-13
nav-users@lister.sikt.no said:
- Lock down API access for unprivileged users
Could this have unexpected consequences?
Non-admin users does now get an Ajax error when viewing ports on a device. (See picture)
From Apache access log: "GET /api/1/interface/?page_size=10000&netbox=5733&_=1747125228426 HTTP/1.1" 403 63
When logged in with my admin user the logs shows "GET /api/1/interface/?page_size=10000&netbox=5733&ifclass=trunk&last_used=on& _=1747125489227 HTTP/1.1" 200 36615
--Ingeborg
My NAV installation don't update port description.
I'm using switches Cisco Catalyst 3750: Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E, RELEASE SOFTWARE (fc2)
I already had this problem, I also updated to the latest NAV 5.13.1 but I always the same problem.
If I change the interface description from NAV GUI (portadmin), description is not updated on the switch. If I change, for example, vlan, vlan is correctly updated.
Any suggestion will be appreciated.
Davide
On Tue 13 May 2025 at 11:39, Ingeborg Hellemo ingeborg.hellemo@uit.no wrote:
- Lock down API access for unprivileged users
Could this have unexpected consequences?
Non-admin users does now get an Ajax error when viewing ports on a device.
Yes, it did. We realized that the frontend calls the 'interface' endpoint of the API when populating the port table.
We have opened a pull request that will fix this problem: https://github.com/Uninett/nav/pull/3373 and we are planning on making a bugfix release with this fix as soon as possible.
-- Sincerely, Johanna England
Sikt – Norwegian Agency for Shared Services in Education and Research
-
Davide Miccone -
Ingeborg Hellemo -
Johanna England -
Morten Brekkevold