Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI1NzgtcGo2Zi1yNGZm
Auto-merging Person Records Compromised
Impact
New user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events).
Patches
We have released a security patch on v2.20.0. The solution was to create a duplicate person and then patch the new person with their profile details.
Workarounds
If you do not wish to upgrade your app to the new version, you can patch your server by overriding the create data source method on the People class.
create = async (profile) => {
const rockUpdateFields = this.mapApollosFieldsToRock(profile);
// auto-merge functionality is compromised
// we are creating a new user and patching them with profile details
const id = await this.post('/People', {
Gender: 0, // required by Rock. Listed first so it can be overridden.
IsSystem: false, // required by rock
});
await this.patch(`/People/${id}`, {
...rockUpdateFields,
});
return id;
};
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI1NzgtcGo2Zi1yNGZm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-r578-pj6f-r4ff, CVE-2021-32691
References:
- https://github.com/ApollosProject/apollos-apps/security/advisories/GHSA-r578-pj6f-r4ff
- https://nvd.nist.gov/vuln/detail/CVE-2021-32691
- https://github.com/ApollosProject/apollos-apps/commit/cb5f8f1c0b24f1b215b2bb5eb6f9a8e16d728ce2
- https://github.com/ApollosProject/apollos-apps/releases/tag/v2.20.0
- https://github.com/advisories/GHSA-r578-pj6f-r4ff
Blast Radius: 11.0
Affected Packages
npm:@apollosproject/data-connector-rock
Dependent packages: 4Dependent repositories: 18
Downloads: 9,375 last month
Affected Version Ranges: < 2.20.0
Fixed in: 2.20.0
All affected versions: 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.13.1, 2.14.0, 2.15.0, 2.16.0, 2.17.0, 2.18.0, 2.18.1, 2.19.0
All unaffected versions: 2.20.0, 2.21.0, 2.21.1, 2.21.2, 2.22.0, 2.23.0, 2.23.1, 2.24.0, 2.25.0, 2.26.0, 2.27.0, 2.27.1, 2.27.2, 2.28.0, 2.29.0, 2.29.1, 2.29.2, 2.29.3, 2.30.0, 2.31.0, 2.32.0, 2.32.1, 2.32.2, 2.33.0, 2.33.1, 2.33.2, 2.33.3, 2.33.4, 2.34.0, 2.35.0, 2.36.0, 2.36.1, 2.36.2, 2.36.3, 2.37.0, 2.38.0, 2.39.0, 2.40.0, 2.41.0, 2.42.0, 2.43.0, 2.43.1, 2.44.0, 2.44.1, 2.44.2, 2.44.3, 2.44.4, 2.45.0, 2.45.1, 2.46.0, 2.46.1, 2.46.2, 2.46.3, 2.46.4, 2.46.5, 2.46.6, 2.46.7, 2.46.8, 2.46.9, 2.46.10, 2.46.11, 2.46.12, 2.46.13, 2.46.14, 2.46.15, 2.46.16, 2.46.17, 2.46.18, 2.46.19, 2.46.20, 2.46.21, 2.46.22, 2.46.23, 2.46.24, 2.46.25, 2.46.26, 2.46.27, 2.46.28, 2.46.29, 2.46.30, 2.46.31, 2.46.32, 2.46.33, 2.46.34, 2.46.35, 2.46.36, 2.46.37, 2.46.38, 2.46.39, 2.46.40, 2.46.41, 2.46.42, 2.46.43, 2.46.44, 2.46.45, 2.46.46, 2.46.47, 2.46.48, 2.46.49, 2.46.50, 2.46.51, 2.46.52, 2.46.53, 2.46.54, 2.46.55, 2.46.56, 2.46.57, 2.46.58, 2.46.59, 2.46.60, 2.46.61, 2.46.62, 2.46.63, 2.46.64, 2.46.65, 2.46.66, 2.46.67, 2.46.68, 2.46.69, 2.46.70, 2.46.71, 2.46.72, 2.46.73, 2.46.74, 2.46.75, 2.46.76, 2.46.77, 2.46.78, 2.46.79, 2.46.80, 2.46.81, 2.46.82, 2.46.83, 2.46.84, 2.46.85, 2.46.86, 2.46.87, 2.46.88, 2.46.89, 2.46.90, 2.46.91, 2.46.92, 2.46.93, 2.46.94, 2.46.95, 2.46.96, 2.46.97, 2.46.98, 2.46.99, 2.46.100, 2.46.101, 2.46.102, 2.46.103, 2.46.104, 2.46.105, 2.46.106, 2.46.107, 2.46.108, 2.46.109, 2.46.110, 2.46.111, 2.46.112, 2.46.113, 2.46.114, 2.46.115, 2.46.116, 2.46.117, 2.46.118, 2.46.119, 2.46.120, 2.46.121, 2.46.122, 2.46.123, 2.46.124, 2.46.125, 2.46.126, 2.46.127, 2.46.128, 2.46.129, 2.46.130, 2.46.131, 2.46.132, 2.46.133, 2.46.134, 2.46.135, 2.46.136, 2.46.137, 2.46.138, 2.46.139, 2.46.140, 2.46.141, 2.46.142, 2.46.143, 2.46.144, 2.46.145, 2.46.146, 2.46.147, 2.46.148, 2.46.149, 2.46.150, 2.46.151, 2.46.152, 2.46.153, 2.46.154, 2.46.155, 2.46.156, 2.46.157, 2.46.158, 2.46.159, 2.46.160, 2.46.161, 2.46.162, 2.46.163, 2.46.164, 2.46.165, 2.46.166, 2.46.167, 2.46.168, 2.46.169, 2.46.170, 2.46.171, 2.46.172, 2.46.173, 2.46.174, 2.46.175, 2.46.176, 2.46.177, 2.46.178, 2.46.179, 2.46.180, 2.46.181, 2.46.182, 2.46.183, 2.46.184, 2.46.185, 2.46.186, 2.46.187, 2.46.188, 2.46.189, 2.46.190, 2.46.191, 2.46.192, 2.46.193, 2.46.194, 2.46.195, 2.46.196, 2.46.197, 2.46.198, 2.47.0, 2.47.1, 2.47.2, 2.47.3, 2.47.4, 2.47.5, 2.47.6, 2.47.7, 2.47.9