Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03aGgzLTN4NjQtdjJnOc4AAz9x
When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id
Impact
If you used the apiPrefilter option of the @Entity
decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the id
of an entity instance she is not authorized to access, can gain read, update and delete access to it.
Patches
The issue is fixed in version 0.20.6
Workarounds
Set the apiPrefilter
option to a filter object instead of a function.
References
If you're using a minor version < 0.20 and require a patch, please create an issue.
Permalink: https://github.com/advisories/GHSA-7hh3-3x64-v2g9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03aGgzLTN4NjQtdjJnOc4AAz9x
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 5.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-7hh3-3x64-v2g9, CVE-2023-35167
References:
- https://github.com/remult/remult/security/advisories/GHSA-7hh3-3x64-v2g9
- https://github.com/remult/remult/commit/6892ae97134126d8710ef7302bb2fc37730994c5
- https://github.com/remult/remult/releases/tag/v0.20.6
- https://nvd.nist.gov/vuln/detail/CVE-2023-35167
- https://github.com/advisories/GHSA-7hh3-3x64-v2g9
Blast Radius: 6.6
Affected Packages
npm:remult
Dependent packages: 5Dependent repositories: 21
Downloads: 8,695 last month
Affected Version Ranges: < 0.20.6
Fixed in: 0.20.6
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.28, 0.1.29, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.4.12, 0.4.13, 0.4.14, 0.4.15, 0.4.16, 0.4.17, 0.4.18, 0.4.19, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.8.1, 0.8.2, 0.8.3, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 0.9.20, 0.9.21, 0.9.22, 0.9.23, 0.9.24, 0.9.25, 0.9.26, 0.9.27, 0.9.28, 0.9.29, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.10.13, 0.10.14, 0.10.15, 0.10.16, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.13.7, 0.13.8, 0.13.9, 0.13.10, 0.13.11, 0.13.12, 0.13.13, 0.13.14, 0.13.15, 0.13.16, 0.13.17, 0.13.18, 0.13.19, 0.13.20, 0.13.21, 0.13.22, 0.13.23, 0.13.24, 0.13.25, 0.13.26, 0.13.27, 0.13.28, 0.13.29, 0.13.31, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.14.9, 0.14.10, 0.14.11, 0.14.12, 0.14.13, 0.14.14, 0.14.15, 0.14.16, 0.14.17, 0.14.19, 0.14.20, 0.14.21, 0.14.22, 0.14.23, 0.14.24, 0.14.25, 0.14.26, 0.14.27, 0.14.28, 0.14.29, 0.14.30, 0.14.31, 0.14.32, 0.14.33, 0.14.34, 0.14.35, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5
All unaffected versions: 0.20.6, 0.21.0, 0.21.1, 0.22.0, 0.22.1, 0.22.2, 0.22.3, 0.22.4, 0.22.5, 0.22.6, 0.22.7, 0.22.8, 0.22.9, 0.22.10, 0.22.11, 0.22.12, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.24.0, 0.24.1, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.25.6, 0.25.7, 0.25.8, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.26.6, 0.26.7, 0.26.8, 0.26.9, 0.26.10, 0.26.11, 0.26.12