Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNTU2LXEzNjctMmd3Ns4AAdYM
Roundup sensitive data disclosure vulnerability
schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details.
Permalink: https://github.com/advisories/GHSA-j556-q367-2gw6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNTU2LXEzNjctMmd3Ns4AAdYM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-j556-q367-2gw6, CVE-2014-6276
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-6276
- https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt
- http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9
- http://www.debian.org/security/2016/dsa-3502
- https://github.com/advisories/GHSA-j556-q367-2gw6
Blast Radius: 2.1
Affected Packages
pypi:roundup
Dependent packages: 0Dependent repositories: 3
Downloads: 226 last month
Affected Version Ranges: < 1.5.1
Fixed in: 1.5.1
All affected versions: 0.5.9, 0.6.8, 0.6.9, 0.6.11, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.7, 0.7.8, 0.7.9, 0.7.11, 0.7.12, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.20, 1.4.21, 1.5.0
All unaffected versions: 1.5.1, 1.6.0, 1.6.1, 2.0.0, 2.1.0, 2.2.0, 2.3.0