Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14cjM4LXc3NHEtcjhqds0ZQQ

Permissions not properly checked in Invenio-Drafts-Resources

Impact

Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public.

Details

The service's publish() method contains the following permission check:

def publish(..):
    self.require_permission(identity, "publish")

However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.

def publish(..):
    self.require_permission(identity, "publish", record=record)

The bug is activated in Invenio-RDM-Records which has a need generator called RecordOwners(), which when no record is passed in defaults to allow any authenticated user:

class RecordOwners(Generator):
    def needs(self, record=None, **kwargs):
        if record is None:
            return [authenticated_user]
    # ...

Patches

The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6+, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively.

You can verify the version installed of Invenio-Drafts-Resources via PIP:

cd ~/src/my-site
pipenv run pip freeze | grep invenio-drafts-resources

References

Security policy

For more information

If you have any questions or comments about this advisory:

Chat with us on Discord: https://discord.gg/8qatqBC

Permalink: https://github.com/advisories/GHSA-xr38-w74q-r8jv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cjM4LXc3NHEtcjhqds0ZQQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago

CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Identifiers: GHSA-xr38-w74q-r8jv, CVE-2021-43781
References:

Repository: https://github.com/inveniosoftware/invenio-drafts-resources
Blast Radius: 8.5

Affected Packages

pypi:invenio-rdm-records

Dependent packages: 7
Dependent repositories: 21
Downloads: 15,437 last month
Affected Version Ranges: >= 0.33.0, < 0.33.10, < 0.32.6
Fixed in: 0.33.10, 0.32.6
All affected versions: 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.14.0, 0.14.1, 0.15.0, 0.16.0, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.6, 0.20.7, 0.20.8, 0.21.0, 0.22.0, 0.22.1, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.23.7, 0.23.8, 0.23.9, 0.23.10, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.25.6, 0.25.7, 0.25.8, 0.25.9, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.26.6, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.27.5, 0.27.6, 0.27.7, 0.27.8, 0.27.9, 0.27.10, 0.27.11, 0.27.12, 0.27.13, 0.27.14, 0.27.15, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.28.4, 0.28.5, 0.28.6, 0.28.7, 0.28.8, 0.28.9, 0.28.10, 0.28.11, 0.28.12, 0.29.0, 0.29.1, 0.29.2, 0.29.3, 0.29.4, 0.29.6, 0.29.7, 0.29.8, 0.29.9, 0.29.10, 0.29.11, 0.29.12, 0.29.13, 0.29.14, 0.29.15, 0.29.16, 0.29.17, 0.30.0, 0.30.1, 0.30.2, 0.30.3, 0.30.4, 0.30.5, 0.30.6, 0.30.7, 0.30.8, 0.30.9, 0.31.0, 0.31.1, 0.31.2, 0.31.3, 0.31.4, 0.31.5, 0.31.6, 0.31.7, 0.31.8, 0.31.9, 0.31.10, 0.31.11, 0.31.12, 0.31.13, 0.31.14, 0.31.15, 0.31.16, 0.31.17, 0.31.18, 0.32.0, 0.32.1, 0.32.2, 0.32.3, 0.32.4, 0.32.5, 0.33.0, 0.33.1, 0.33.2, 0.33.3, 0.33.4, 0.33.5, 0.33.6, 0.33.7, 0.33.8, 0.33.9
All unaffected versions: 0.32.6, 0.33.10, 0.33.11, 0.33.12, 0.33.13, 0.34.0, 0.34.1, 0.34.2, 0.34.3, 0.34.4, 0.34.5, 0.34.6, 0.34.7, 0.35.0, 0.35.1, 0.35.2, 0.35.3, 0.35.4, 0.35.5, 0.35.6, 0.35.7, 0.35.8, 0.35.9, 0.35.10, 0.35.11, 0.35.12, 0.35.13, 0.35.14, 0.35.15, 0.35.16, 0.35.17, 0.35.18, 0.35.19, 0.35.20, 0.35.21, 0.35.22, 0.35.23, 0.36.0, 0.36.1, 0.36.2, 0.36.3, 0.36.4, 0.36.5, 0.37.0, 0.37.1, 0.38.0, 0.38.1, 0.38.2, 0.38.3, 0.39.0, 0.39.1, 0.39.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.4.0, 4.4.1, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12.0, 4.12.1, 4.12.2, 4.13.0, 4.13.1, 4.14.0, 4.15.0, 4.15.1, 4.16.0, 4.16.1, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.20.1, 4.21.0, 4.22.0, 4.23.0, 4.23.1, 4.23.2, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.28.1, 4.28.2, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.33.1, 4.33.2, 4.34.0, 4.35.0, 4.36.0, 4.36.1, 4.36.2, 4.36.3, 4.36.4, 4.36.5, 4.36.6, 4.36.7, 4.36.8, 4.36.9, 4.36.10, 4.37.0, 4.37.1, 4.37.2, 4.37.3, 4.37.4, 4.38.0, 4.38.1, 4.38.2, 4.38.3, 4.39.0, 4.39.1, 4.39.2, 4.39.3, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.43.1, 4.43.2, 5.0.0, 5.1.0, 5.1.1, 5.1.2, 6.0.0, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 7.0.0, 7.1.0, 7.1.1, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 9.0.0, 9.0.1, 9.1.0, 10.0.0, 10.1.0, 10.1.1, 10.1.2, 10.2.0, 10.3.0, 10.3.1, 10.3.2

pypi:invenio-drafts-resources

Dependent packages: 4
Dependent repositories: 21
Downloads: 13,823 last month
Affected Version Ranges: >= 0.14.0, < 0.14.6, < 0.13.7
Fixed in: 0.14.6, 0.13.7
All affected versions: 0.1.0, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.5
All unaffected versions: 0.13.7, 0.14.6, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.17.0, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 2.0.0, 2.0.1, 2.0.2, 3.0.0

pypi:invenio-app-rdm

Dependent packages: 5
Dependent repositories: 18
Downloads: 4,056 last month
Affected Version Ranges: < 6.0.5
Fixed in: 6.0.5
All affected versions: 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.15.0, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.16.6, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.18.0, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.18.6, 0.18.7, 0.18.8, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.19.6, 0.19.7, 0.19.8, 0.19.9, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.20.6, 0.20.7, 0.20.8, 0.20.9, 0.20.10, 0.20.11, 1.0.0, 2.0.0, 2.0.1, 3.0.0, 4.0.0, 4.0.1, 5.0.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4
All unaffected versions: 6.0.5, 7.0.0, 7.0.1, 8.0.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 10.0.0, 10.1.0, 10.1.1, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5