Headline
GHSA-hvp4-vrv2-8wrq: Kinto Attachment's attachments can be replaced on read-only records
Impact
The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent (collection or bucket).
And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request.
Note that if the parent has no explicit read permission, then the records attachments are safe.
Patches
- Patch released in kinto-attachment 6.4.0
- https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1
Workarounds
None if the read permission has to remain granted.
Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1879034
Package
pip kinto-attachment (pip)
Affected versions
<= 6.3.2
Patched versions
6.4.0
Description
Impact
The attachment file of an existing record can be replaced if the user has “read” permission on one of the parent (collection or bucket).
And if the “read” permission is given to “system.Everyone” on one of the parent, then the attachment can be replaced on a record using an anonymous request.
Note that if the parent has no explicit read permission, then the records attachments are safe.
Patches
- Patch released in kinto-attachment 6.4.0
- Kinto/kinto-attachment@f4a3148
Workarounds
None if the read permission has to remain granted.
Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1879034
References
- GHSA-hvp4-vrv2-8wrq
- Kinto/kinto-attachment@f4a3148
- https://bugzilla.mozilla.org/show_bug.cgi?id=1879034
leplatrem published to Kinto/kinto-attachment
Feb 8, 2024
Published to the GitHub Advisory Database
Feb 8, 2024
Reviewed
Feb 8, 2024
Last updated
Feb 8, 2024