CVE-2022-39322

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39322
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39322.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-39322
Aliases
Published
2022-10-25T00:00:00Z
Modified
2025-11-04T20:08:55.611405Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
@keystone-6/core vulnerable to field-level access-control bypass for multiselect field
Details

@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their multiselect fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than multiselect are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the multiselect field.

Database specific 
{
    "cwe_ids": [
        "CWE-285"
    ]
}
References

Affected packages

Git / github.com/keystonejs/keystone

Affected ranges

Type
GIT
Repo
https://github.com/keystonejs/keystone
Events
Introduced
e146f5a69eab84537afcde10ff571d4fd7cf4ffc
Fixed
e586af45089a2ca1391d2a86ed585694b690b6c3

Affected versions

@arch-ui/day-picker@0.*

@arch-ui/day-picker@0.0.11

@arch-ui/drawer@0.*

@arch-ui/drawer@0.0.10

@arch-ui/options@0.*

@arch-ui/options@0.0.9

@arch-ui/select@0.*

@arch-ui/select@0.0.8

@keystone-alpha/access-control@1.*

@keystone-alpha/access-control@1.1.0

@keystone-alpha/adapter-knex@4.*

@keystone-alpha/adapter-knex@4.0.0
@keystone-alpha/adapter-knex@4.0.1
@keystone-alpha/adapter-knex@4.0.2
@keystone-alpha/adapter-knex@4.0.3
@keystone-alpha/adapter-knex@4.0.4
@keystone-alpha/adapter-knex@4.0.5
@keystone-alpha/adapter-knex@4.0.6
@keystone-alpha/adapter-knex@4.0.7

@keystone-alpha/adapter-mongoose@4.*

@keystone-alpha/adapter-mongoose@4.0.0
@keystone-alpha/adapter-mongoose@4.0.1
@keystone-alpha/adapter-mongoose@4.0.2
@keystone-alpha/adapter-mongoose@4.0.3
@keystone-alpha/adapter-mongoose@4.0.4

@keystone-alpha/app-admin-ui@5.*

@keystone-alpha/app-admin-ui@5.2.0
@keystone-alpha/app-admin-ui@5.3.0
@keystone-alpha/app-admin-ui@5.4.0
@keystone-alpha/app-admin-ui@5.5.0
@keystone-alpha/app-admin-ui@5.5.1
@keystone-alpha/app-admin-ui@5.5.2

@keystone-alpha/app-graphql@7.*

@keystone-alpha/app-graphql@7.0.0

@keystone-alpha/app-static@1.*

@keystone-alpha/app-static@1.1.0

@keystone-alpha/auth-passport@3.*

@keystone-alpha/auth-passport@3.0.0
@keystone-alpha/auth-passport@3.1.0

@keystone-alpha/auth-passport@4.*

@keystone-alpha/auth-passport@4.0.0
@keystone-alpha/auth-passport@4.0.1
@keystone-alpha/auth-passport@4.1.0

@keystone-alpha/auth-password@1.*

@keystone-alpha/auth-password@1.0.0

@keystone-alpha/build-field-types@1.*

@keystone-alpha/build-field-types@1.0.5

@keystone-alpha/field-content@2.*

@keystone-alpha/field-content@2.1.0

@keystone-alpha/fields-auto-increment@1.*

@keystone-alpha/fields-auto-increment@1.0.1

@keystone-alpha/fields-datetime-utc@1.*

@keystone-alpha/fields-datetime-utc@1.0.1

@keystone-alpha/fields-mongoid@1.*

@keystone-alpha/fields-mongoid@1.0.2
@keystone-alpha/fields-mongoid@1.1.0

@keystone-alpha/fields@10.*

@keystone-alpha/fields@10.1.0
@keystone-alpha/fields@10.2.0
@keystone-alpha/fields@10.3.0
@keystone-alpha/fields@10.4.0
@keystone-alpha/fields@10.5.0
@keystone-alpha/fields@10.6.0
@keystone-alpha/fields@10.6.1
@keystone-alpha/fields@10.6.2

@keystone-alpha/keystone@10.*

@keystone-alpha/keystone@10.0.0
@keystone-alpha/keystone@10.1.0
@keystone-alpha/keystone@10.2.0
@keystone-alpha/keystone@10.3.0
@keystone-alpha/keystone@10.4.0
@keystone-alpha/keystone@10.5.0

@keystone-alpha/keystone@11.*

@keystone-alpha/keystone@11.0.0

@keystone-alpha/keystone@12.*

@keystone-alpha/keystone@12.0.0
@keystone-alpha/keystone@12.0.1

@keystone-alpha/keystone@13.*

@keystone-alpha/keystone@13.0.0

@keystone-alpha/keystone@9.*

@keystone-alpha/keystone@9.1.0

@keystone-alpha/list-plugins@1.*

@keystone-alpha/list-plugins@1.0.0

@keystone-alpha/test-utils@2.*

@keystone-alpha/test-utils@2.2.0
@keystone-alpha/test-utils@2.2.1
@keystone-alpha/test-utils@2.2.2
@keystone-alpha/test-utils@2.2.3
@keystone-alpha/test-utils@2.2.4
@keystone-alpha/test-utils@2.3.0

Other

Typescript-Convert

create-keystone-app@1.*

create-keystone-app@1.0.0
create-keystone-app@1.0.1