GHSA-gqcf-83rq-gpfr

Source

https://github.com/advisories/GHSA-gqcf-83rq-gpfr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-gqcf-83rq-gpfr/GHSA-gqcf-83rq-gpfr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gqcf-83rq-gpfr

Published

2021-09-14T20:24:44Z

Modified

2024-12-02T05:28:17.830949Z

Summary

Any storage file can be downloaded from p.sh if full server path is known

Details

The default configuration for platform.sh (.platform.app.yaml) allows access to uploaded files if you know or can guess their location, regardless of whether roles grant content read access to the content containing those files. If you're using Legacy Bridge, the default configuration also allows access to certain legacy files that should not be readable, including the legacy var directory and extension directories.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-14T18:35:35Z"
}

References

Affected packages

Packagist / ibexa/post-install

Package

Name: ibexa/post-install
Purl: pkg:composer/ibexa/post-install

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.4.1

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

Database specific

{
    "last_known_affected_version_range": "<= 1.0.4"
}