GHSA-r578-pj6f-r4ff
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r578-pj6f-r4ff
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-r578-pj6f-r4ff/GHSA-r578-pj6f-r4ff.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r578-pj6f-r4ff
- Aliases
- Related
- Published
- 2021-06-21T17:07:47Z
- Modified
- 2023-11-08T04:05:57.041751Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Auto-merging Person Records Compromised
- Details
-
Impact
New user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events).
Patches
We have released a security patch on v2.20.0. The solution was to create a duplicate person and then patch the new person with their profile details.
Workarounds
If you do not wish to upgrade your app to the new version, you can patch your server by overriding the
createdata source method on thePeopleclass.create = async (profile) => { const rockUpdateFields = this.mapApollosFieldsToRock(profile); // auto-merge functionality is compromised // we are creating a new user and patching them with profile details const id = await this.post('/People', { Gender: 0, // required by Rock. Listed first so it can be overridden. IsSystem: false, // required by rock }); await this.patch(`/People/${id}`, { ...rockUpdateFields, }); return id; };For more information
If you have any questions or comments about this advisory: * Email us at support@apollos.app
- Database specific
{ "nvd_published_at": "2021-06-16T22:15:00Z", "github_reviewed_at": "2021-06-16T18:55:04Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-287", "CWE-303" ] }- References
Affected packages
npm / @apollosproject/data-connector-rock
Package
- Name
- @apollosproject/data-connector-rock
- View open source insights on deps.dev
- Purl
- pkg:npm/%40apollosproject/data-connector-rock