Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02bWhyLTUybXYtNnY2Zs4AAvaQ
Field-level access-control bypass for multiselect field
Impact
@keystone-6/[email protected] || 2.3.0 users who are using the multiselect field, and provided field-level access control - are vulnerable to their field-level access control not being used.
List-level access control is NOT affected.
Field-level access control for fields other than multiselect are NOT affected.
Example, you are vulnerable if you are using field-level access control on a multiselect like the following:
const yourList = list({
access: {
// this is list-level access control, this is NOT impacted
},
fields: {
yourFieldName: multiselect({
// this is field-level access control, for multiselect fields
// this is vulnerable
access: {
create: ({ session }) => session?.data.isAdmin,
update: ({ session }) => session?.data.isAdmin,
},
options: [
{ value: 'apples', label: 'Apples' },
{ value: 'oranges', label: 'Oranges' },
],
// ...
}),
// ...
},
// ...
});
Mitigation
Please upgrade to @keystone-6/core >= 2.3.1, where this vulnerability has been closed.
Workarounds
If for some reason you cannot upgrade your dependencies, you should stop using the multiselect field.
Credits
Thanks to Marek R for reporting and submitting the pull request to fix this problem.
If you have any questions around this security advisory, please don't hesitate to contact us at [email protected], or open an issue on GitHub.
If you have a security flaw to report for any software in this repository, please see our SECURITY policy.
Permalink: https://github.com/advisories/GHSA-6mhr-52mv-6v6fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02bWhyLTUybXYtNnY2Zs4AAvaQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-6mhr-52mv-6v6f, CVE-2022-39322
References:
- https://github.com/keystonejs/keystone/security/advisories/GHSA-6mhr-52mv-6v6f
- https://nvd.nist.gov/vuln/detail/CVE-2022-39322
- https://github.com/keystonejs/keystone/commit/65c6ee3deef23605fc72b80230908696a7a65e7c
- https://github.com/advisories/GHSA-6mhr-52mv-6v6f
Blast Radius: 19.3
Affected Packages
npm:@keystone-6/core
Dependent packages: 37Dependent repositories: 133
Downloads: 114,572 last month
Affected Version Ranges: >= 2.2.0, < 2.3.1
Fixed in: 2.3.1
All affected versions: 2.2.0, 2.3.0
All unaffected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 2.0.0, 2.1.0, 2.3.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0, 4.0.1, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.5.0, 5.5.1, 5.6.0, 5.7.0, 5.7.1, 5.7.2, 5.8.0, 6.0.0, 6.1.0