Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1odnA0LXZydjItOHdycc4AA5Kn

Kinto Attachment's attachments can be replaced on read-only records

Impact

The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent (collection or bucket).

And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request.

Note that if the parent has no explicit read permission, then the records attachments are safe.

Patches

Patch released in kinto-attachment 6.4.0
https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1

Workarounds

None if the read permission has to remain granted.

Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1879034

Permalink: https://github.com/advisories/GHSA-hvp4-vrv2-8wrq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odnA0LXZydjItOHdycc4AA5Kn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago

CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Identifiers: GHSA-hvp4-vrv2-8wrq, CVE-2024-1314
References:

Repository: https://github.com/Kinto/kinto-attachment
Blast Radius: 7.3

Affected Packages

pypi:kinto-attachment

Dependent packages: 0
Dependent repositories: 7
Downloads: 678 last month
Affected Version Ranges: <= 6.3.2
Fixed in: 6.4.0
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 2.0.0, 2.0.1, 2.1.0, 3.0.0, 3.0.1, 4.0.0, 5.0.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.3.2
All unaffected versions: 6.4.0