GHSA-hvp4-vrv2-8wrq

Source

https://github.com/advisories/GHSA-hvp4-vrv2-8wrq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-hvp4-vrv2-8wrq/GHSA-hvp4-vrv2-8wrq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hvp4-vrv2-8wrq

Aliases

CVE-2024-1314

Published

2024-02-08T18:32:10Z

Modified

2024-02-16T08:01:09.022240Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator

Summary

Kinto Attachment's attachments can be replaced on read-only records

Details

Impact

The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent (collection or bucket).

And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request.

Note that if the parent has no explicit read permission, then the records attachments are safe.

Patches

Patch released in kinto-attachment 6.4.0
https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1

Workarounds

None if the read permission has to remain granted.

Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1879034

References

Affected packages

PyPI / kinto-attachment

Package

Name: kinto-attachment; View open source insights on deps.dev
Purl: pkg:pypi/kinto-attachment

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.4.0

Affected versions

0.*

0.1.0.dev0

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0.dev0

0.5.0

0.5.1

0.6.0

0.7.0

0.7.1

0.8.0

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

2.*

2.0.0

2.0.1

2.1.0

3.*

3.0.0

3.0.1

4.*

4.0.0

5.*

5.0.0

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.1.0

6.2.0

6.3.0

6.3.1

6.3.2

Database specific

{
    "last_known_affected_version_range": "<= 6.3.2"
}