CVE-2022-39322

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39322

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39322.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-39322

Aliases

GHSA-6mhr-52mv-6v6f

Related

GHSA-6mhr-52mv-6v6f

Published

2022-10-25T17:15:56Z

Modified

2025-07-01T18:04:15Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their multiselect fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than multiselect are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the multiselect field.

References

Affected packages

Git / github.com/keystonejs/keystone

Affected ranges

Type: GIT
Repo: https://github.com/keystonejs/keystone
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

65c6ee3deef23605fc72b80230908696a7a65e7c