GHSA-hvp4-vrv2-8wrq

Source
https://github.com/advisories/GHSA-hvp4-vrv2-8wrq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-hvp4-vrv2-8wrq/GHSA-hvp4-vrv2-8wrq.json
Aliases
  • CVE-2024-1314
Published
2024-02-08T18:32:10Z
Modified
2024-02-16T08:01:09.022240Z
Details

Impact

The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent (collection or bucket).

And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request.

Note that if the parent has no explicit read permission, then the records attachments are safe.

Patches

  • Patch released in kinto-attachment 6.4.0
  • https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1

Workarounds

None if the read permission has to remain granted.

Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended.

References

  • https://bugzilla.mozilla.org/show_bug.cgi?id=1879034
References

Affected packages

PyPI / kinto-attachment

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
6.4.0

Affected versions

0.*

0.1.0.dev0
0.1.0
0.2.0
0.3.0
0.4.0
0.5.0.dev0
0.5.0
0.5.1
0.6.0
0.7.0
0.7.1
0.8.0

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.1.2

2.*

2.0.0
2.0.1
2.1.0

3.*

3.0.0
3.0.1

4.*

4.0.0

5.*

5.0.0

6.*

6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.2.0
6.3.0
6.3.1
6.3.2

Database specific

{
    "last_known_affected_version_range": "<= 6.3.2"
}