GHSA-p7m7-j8jv-393q

Source

https://github.com/advisories/GHSA-p7m7-j8jv-393q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p7m7-j8jv-393q/GHSA-p7m7-j8jv-393q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p7m7-j8jv-393q

Aliases

Published

2022-05-24T17:33:56Z

Modified

2024-02-16T08:21:46.378624Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Magento incorrect permissions vulnerability in the Inventory module

Details

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions issue vulnerability in the Inventory module. This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.

Database specific

{
    "nvd_published_at": "2020-11-09T01:15:00Z",
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-11T17:38:39Z"
}

References

Affected packages

Packagist / magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.6

Affected versions

0.*

0.1.0-alpha89

0.1.0-alpha90

0.1.0-alpha91

0.1.0-alpha92

0.1.0-alpha93

0.1.0-alpha94

0.1.0-alpha95

0.1.0-alpha96

0.1.0-alpha97

0.1.0-alpha98

0.1.0-alpha99

0.1.0-alpha100

0.1.0-alpha101

0.1.0-alpha102

0.1.0-alpha103

0.1.0-alpha104

0.1.0-alpha105

0.1.0-alpha106

0.1.0-alpha107

0.1.0-alpha108

0.42.0-beta1

0.42.0-beta2

0.42.0-beta3

0.42.0-beta4

0.42.0-beta5

0.42.0-beta6

0.42.0-beta7

0.42.0-beta8

0.42.0-beta9

0.42.0-beta10

0.42.0-beta11

0.74.0-beta1

0.74.0-beta2

0.74.0-beta3

0.74.0-beta4

0.74.0-beta5

0.74.0-beta6

0.74.0-beta7

0.74.0-beta8

0.74.0-beta9

0.74.0-beta10

0.74.0-beta11

0.74.0-beta12

0.74.0-beta13

0.74.0-beta14

0.74.0-beta15

0.74.0-beta16

1.*

1.0.0-beta

1.0.0-beta2

1.0.0-beta3

1.0.0-beta4

1.0.0-beta5

1.0.0-beta6

2.*

2.0.0-rc

2.0.0-rc2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.1.0-rc1

2.1.0-rc2

2.1.0-rc3

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.3.0

2.3.1

2.3.2

2.3.2-p2

2.3.3

2.3.3-p1

2.3.4

2.3.4-p2

2.3.5

2.3.5-p1

2.3.5-p2

Database specific

{
    "last_known_affected_version_range": "<= 2.3.5-p2"
}

Packagist / magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.4.1

Affected versions

2.*

2.4.0

2.4.0-p1