GHSA-m58q-qq5h-mgqq: Islandora 2.0 before 2.4.1 could allow any user to upload content into a repository

Islandora 2.0 before 2.4.1 could allow any user to upload content into a repository

Critical severity GitHub Reviewed Published Jul 21, 2022 in Islandora/islandora • Updated Jul 21, 2022

Package

composer islandora/islandora (Composer)

Affected versions

>= 2.0, < 2.4.1

Patched versions

2.4.1

Description

Impact

This vulnerability would allow any user, regardless of permissions, to upload content into a repository. This affects installations of Islandora core 2.0 or greater.

Patches

Upgrade immediately to the latest release of Islandora.

Workarounds

In lieu of an upgrade the following module can be leveraged that will resolve the issue until such a time an upgrade can take place.

For more information

If you have any questions or comments about this advisory:

• Open an issue in Islandora
• Contact [email protected].

References

• GHSA-m58q-qq5h-mgqq
• Islandora/islandora@573d687
• https://github.com/Islandora/islandora/releases/tag/2.4.1

rosiel published the maintainer security advisory

Jul 21, 2022

Severity

Critical

10.0

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-m58q-qq5h-mgqq

Source code

Islandora-CLAW/islandora

Credits

• jordandukart
• lutaylor
• rosiel
• adam-vessey

Checking history

See something to contribute? Suggest improvements for this vulnerability.