GHSA-xr38-w74q-r8jv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xr38-w74q-r8jv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-xr38-w74q-r8jv/GHSA-xr38-w74q-r8jv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xr38-w74q-r8jv
- Aliases
- Published
- 2021-12-06T23:57:59Z
- Modified
- 2024-09-23T16:38:39.422676Z
- Severity
-
- 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Permissions not properly checked in Invenio-Drafts-Resources
- Details
-
Impact
Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public.
Details
The service's
publish()method contains the following permission check:def publish(..): self.require_permission(identity, "publish")However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.
def publish(..): self.require_permission(identity, "publish", record=record)The bug is activated in Invenio-RDM-Records which has a need generator called
RecordOwners(), which when no record is passed in defaults to allow any authenticated user:class RecordOwners(Generator): def needs(self, record=None, **kwargs): if record is None: return [authenticated_user] # ...Patches
The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6+, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively.
You can verify the version installed of Invenio-Drafts-Resources via PIP:
cd ~/src/my-site pipenv run pip freeze | grep invenio-drafts-resourcesReferences
For more information
If you have any questions or comments about this advisory: * Chat with us on Discord: https://discord.gg/8qatqBC
- Database specific
{ "nvd_published_at": "2021-12-06T18:15:00Z", "cwe_ids": [ "CWE-862", "CWE-863" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-12-06T22:15:02Z" }- References
-
- https://github.com/inveniosoftware/invenio-drafts-resources/security/advisories/GHSA-xr38-w74q-r8jv
- https://nvd.nist.gov/vuln/detail/CVE-2021-43781
- https://github.com/inveniosoftware/invenio-drafts-resources/commit/039b0cff1ad4b952000f4d8c3a93f347108b6626
- https://github.com/pypa/advisory-database/tree/main/vulns/invenio-app-rdm/PYSEC-2021-837.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/invenio-drafts-resources/PYSEC-2021-836.yaml
Affected packages
PyPI / invenio-drafts-resources
Package
- Name
- invenio-drafts-resources
- View open source insights on deps.dev
- Purl
- pkg:pypi/invenio-drafts-resources
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.13.7
Affected versions
0.*
0.1.0
0.1.2
0.1.3
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
0.10.8
0.10.9
0.10.10
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.11.6
0.12.0
0.12.1
0.12.2
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
PyPI / invenio-app-rdm
Package
- Name
- invenio-app-rdm
- View open source insights on deps.dev
- Purl
- pkg:pypi/invenio-app-rdm
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.0.5
Affected versions
0.*
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.8.0
0.8.1
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.10.0
0.10.1
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.13.0
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.14.5
0.14.6
0.14.7
0.14.8
0.15.0
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.18.0
0.18.2
0.18.3
0.18.4
0.18.5
0.18.6
0.18.7
0.18.8
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6
0.19.7
0.19.8
0.19.9
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.20.5
0.20.6
0.20.7
0.20.8
0.20.9
0.20.10
0.20.11
1.*
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0
2.*
2.0.0.dev0
2.0.0.dev1
2.0.0.dev2
2.0.0.dev3
2.0.0.dev4
2.0.0
2.0.1
3.*
3.0.0.dev0
3.0.0.dev1
3.0.0.dev2
3.0.0.dev3
3.0.0.dev4
3.0.0.dev5
3.0.0.dev6
3.0.0.dev7
3.0.0rc1
3.0.0
4.*
4.0.0.dev0
4.0.0.dev1
4.0.0.dev2
4.0.0.dev3
4.0.0.dev4
4.0.0
4.0.1
5.*
5.0.0.dev0
5.0.0.dev1
5.0.0.dev2
5.0.0.dev3
5.0.0.dev4
5.0.0.dev5
5.0.0.dev6
5.0.0.dev7
5.0.0.dev8
5.0.0.dev9
5.0.0.dev10
5.0.0
6.*
6.0.0.dev0
6.0.0.dev1
6.0.0.dev2
6.0.0.dev3
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
PyPI / invenio-rdm-records
Package
- Name
- invenio-rdm-records
- View open source insights on deps.dev
- Purl
- pkg:pypi/invenio-rdm-records
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.32.6
Affected versions
0.*
0.9.0
0.10.0
0.10.1
0.11.0
0.11.1
0.12.0
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.14.0
0.14.1
0.15.0
0.16.0
0.17.0
0.17.1
0.18.0
0.18.1
0.18.2
0.18.3
0.19.0
0.19.1
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.20.6
0.20.7
0.20.8
0.21.0
0.22.0
0.22.1
0.23.0
0.23.1
0.23.2
0.23.3
0.23.4
0.23.5
0.23.6
0.23.7
0.23.8
0.23.9
0.23.10
0.24.1
0.24.2
0.24.3
0.24.4
0.24.5
0.24.6
0.25.0
0.25.1
0.25.2
0.25.3
0.25.4
0.25.5
0.25.6
0.25.7
0.25.8
0.25.9
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5
0.26.6
0.27.0
0.27.1
0.27.2
0.27.3
0.27.4
0.27.5
0.27.6
0.27.7
0.27.8
0.27.9
0.27.10
0.27.11
0.27.12
0.27.13
0.27.14
0.27.15
0.28.0
0.28.1
0.28.2
0.28.3
0.28.4
0.28.5
0.28.6
0.28.7
0.28.8
0.28.9
0.28.10
0.28.11
0.28.12
0.29.0
0.29.1
0.29.2
0.29.3
0.29.4
0.29.6
0.29.7
0.29.8
0.29.9
0.29.10
0.29.11
0.29.12
0.29.13
0.29.14
0.29.15
0.29.16
0.29.17
0.30.0
0.30.1
0.30.2
0.30.3
0.30.4
0.30.5
0.30.6
0.30.7
0.30.8
0.30.9
0.31.0
0.31.1
0.31.2
0.31.3
0.31.4
0.31.5
0.31.6
0.31.7
0.31.8
0.31.9
0.31.10
0.31.11
0.31.12
0.31.13
0.31.14
0.31.15
0.31.16
0.31.17
0.31.18
0.32.0
0.32.1
0.32.2
0.32.3
0.32.4
0.32.5
PyPI / invenio-drafts-resources
Package
- Name
- invenio-drafts-resources
- View open source insights on deps.dev
- Purl
- pkg:pypi/invenio-drafts-resources
PyPI / invenio-rdm-records
Package
- Name
- invenio-rdm-records
- View open source insights on deps.dev
- Purl
- pkg:pypi/invenio-rdm-records
PyPI / invenio-app-rdm
Package
- Name
- invenio-app-rdm
- View open source insights on deps.dev
- Purl
- pkg:pypi/invenio-app-rdm