Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ncWNmLTgzcnEtZ3Bmcs0VwA
Any storage file can be downloaded from p.sh if full server path is known
The default configuration for platform.sh (.platform.app.yaml) allows access to uploaded files if you know or can guess their location, regardless of whether roles grant content read access to the content containing those files. If you're using Legacy Bridge, the default configuration also allows access to certain legacy files that should not be readable, including the legacy var directory and extension directories.
Permalink: https://github.com/advisories/GHSA-gqcf-83rq-gpfrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ncWNmLTgzcnEtZ3Bmcs0VwA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
Identifiers: GHSA-gqcf-83rq-gpfr
References:
- https://github.com/ibexa/post-install/security/advisories/GHSA-gqcf-83rq-gpfr
- https://developers.ibexa.co/security-advisories/ibexa-sa-2021-006-storage-and-legacy-files-accessible-if-path-is-known
- https://github.com/advisories/GHSA-gqcf-83rq-gpfr
Blast Radius: 0.0
Affected Packages
packagist:ibexa/post-install
Dependent packages: 1Dependent repositories: 9
Downloads: 514,898 total
Affected Version Ranges: <= 1.0.4
Fixed in: 1.0.4.1
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4
All unaffected versions: 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13