Security announcement: NAV 5.13.1 released
The first maintenance release of the 5.13 series of NAV is now out, and contains a security patch for a serious privilege escalation vulnerability in the web GUI. We recommend that all users upgrade as soon as possible. The source code is available for download at GitHub [1]. New packages for Debian 12 (Bookworm) and 11 (Bullseye) are available in our APT repository. Security ======== - Lock down API access for unprivileged users By default, NAV granted full API access to logged-in users, regardless of their configured privilege level. This would give unprivileged users access to manipulate NAV configuration and even elevate their own user privileges to administrator level. Read the full security advisory at https://github.com/Uninett/nav/security/advisories/GHSA-gprr-5vvf-582g Changed ======= - Update NAPALM dependency to 5.0 to keep NAV web GUI working (#2358) Fixed ===== - Fix filtering of 'Last seen' and sorting by 'Last active' in netbox interfaces view in room info (#3329) Release notes ============= We always advise you to have a look at NAV’s accompanying release notes before upgrading. Happy NAVing everyone! Links ===== [1] https://github.com/Uninett/nav/releases [2] https://nav.uninett.no/install-instructions/#debian [3] https://nav.readthedocs.io/en/latest/release-notes.html#nav-5-13
nav-users@lister.sikt.no said:
- Lock down API access for unprivileged users
Could this have unexpected consequences? Non-admin users does now get an Ajax error when viewing ports on a device. (See picture) From Apache access log: "GET /api/1/interface/?page_size=10000&netbox=5733&_=1747125228426 HTTP/1.1" 403 63 When logged in with my admin user the logs shows "GET /api/1/interface/?page_size=10000&netbox=5733&ifclass=trunk&last_used=on& _=1747125489227 HTTP/1.1" 200 36615 --Ingeborg -- Ingeborg Østrem Hellemo -- ingeborg.hellemo@uit.no Dep. of Information Technology --- Univ. of Tromsø
My NAV installation don't update port description. I'm using switches Cisco Catalyst 3750: Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E, RELEASE SOFTWARE (fc2) I already had this problem, I also updated to the latest NAV 5.13.1 but I always the same problem. If I change the interface description from NAV GUI (portadmin), description is not updated on the switch. If I change, for example, vlan, vlan is correctly updated. Any suggestion will be appreciated. Davide
On Tue 13 May 2025 at 13:35, Davide Miccone <davide@wpweb.com> wrote:
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E, RELEASE SOFTWARE (fc2). If I change the interface description from NAV GUI (portadmin), description is not updated on the switch.
It seems this may be a known issue with Cisco IOS 15.2E: https://community.cisco.com/t5/switching/ifalias-snmp-mib-doesn-t-seem-to-wo... I cannot claim to understand Cisco's version numbering scheme. Are you on the latest software? -- Sincerely, Morten Brekkevold Sikt – Norwegian Agency for Shared Services in Education and Research
No, I'm not on the latest. I'm on 15.2.(4)E I should try to update...... -----Messaggio originale----- Da: Morten Brekkevold <morten.brekkevold@sikt.no> Inviato: mercoledì 11 giugno 2025 15:39 A: Davide Miccone <davide@wpweb.com> Cc: nav-users@lister.sikt.no Oggetto: Re: [Nav-users] Port description not updated On Tue 13 May 2025 at 13:35, Davide Miccone <davide@wpweb.com> wrote:
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E, RELEASE SOFTWARE (fc2). If I change the interface description from NAV GUI (portadmin), description is not updated on the switch.
It seems this may be a known issue with Cisco IOS 15.2E: https://community.cisco.com/t5/switching/ifalias-snmp-mib-doesn-t-seem-to-wo... I cannot claim to understand Cisco's version numbering scheme. Are you on the latest software? -- Sincerely, Morten Brekkevold Sikt – Norwegian Agency for Shared Services in Education and Research
On Tue 13 May 2025 at 11:39, Ingeborg Hellemo <ingeborg.hellemo@uit.no> wrote:
- Lock down API access for unprivileged users
Could this have unexpected consequences?
Non-admin users does now get an Ajax error when viewing ports on a device.
Yes, it did. We realized that the frontend calls the 'interface' endpoint of the API when populating the port table. We have opened a pull request that will fix this problem: https://github.com/Uninett/nav/pull/3373 and we are planning on making a bugfix release with this fix as soon as possible. -- Sincerely, Johanna England Sikt – Norwegian Agency for Shared Services in Education and Research
participants (4)
-
Davide Miccone -
Ingeborg Hellemo -
Johanna England -
Morten Brekkevold