GHSA-qrmm-w4v4-q7f8 – docassemble

Package

Manager: pip
Name: docassemble
Vulnerable Version: >=0 <1.2.65

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Unauthorized access through URL manipulation ### Impact The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. ### Patches The vulnerability has been patched in version 1.2.65 of the `master` branch, version 1.1.113 of the 1.1.x series, and version 1.0.12 of the `stable` branch. The Docker image on docker.io has been patched. ### Workarounds If upgrading is not possible, manually apply the changes of https://github.com/jhpyle/docassemble/commit/e3dbf6ce054b3c0310996f0657289f5eed0a73fe and restart the server (e.g., by pressing Save on the Configuration screen). ### Credit The vulnerability was discovered by Jim Platania of Seiso LLC (@jimmio). ### For more information If you have any questions or comments about this advisory: * Open an issue in [docassemble](https://github.com/jhpyle/docassemble/issues) * Join the [Slack channel](https://join.slack.com/t/docassemble/shared_invite/zt-ohrn8y9z-_Fb3RAl~JPBU6Km7odBPfQ) * Email us at [jhpyle@gmail.com](mailto:jhpyle@gmail.com)

Metadata

Created: 2021-05-06T15:27:22Z
Modified: 2021-05-05T18:45:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-qrmm-w4v4-q7f8/GHSA-qrmm-w4v4-q7f8.json
CWE IDs: ["CWE-552"]
Alternative ID: N/A
Finding: F123
Auto approve: 1