logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-43781 invenio-drafts-resources

Package

Manager: pip
Name: invenio-drafts-resources
Vulnerable Version: >=0 <0.13.7 || >=0.14.0 <0.14.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00109 pctl0.29931

Details

Permissions not properly checked in Invenio-Drafts-Resources ### Impact Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. ### Details The service's ``publish()`` method contains the following permission check: ```python def publish(..): self.require_permission(identity, "publish") ``` However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner. ```python def publish(..): self.require_permission(identity, "publish", record=record) ``` The bug is activated in Invenio-RDM-Records which has a need generator called ``RecordOwners()``, which when no record is passed in defaults to allow any authenticated user: ```python class RecordOwners(Generator): def needs(self, record=None, **kwargs): if record is None: return [authenticated_user] # ... ``` ### Patches The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6+, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively. You can verify the version installed of Invenio-Drafts-Resources via PIP: ```console cd ~/src/my-site pipenv run pip freeze | grep invenio-drafts-resources ``` ### References - [Security policy](https://invenio.readthedocs.io/en/latest/community/security-policy.html) ### For more information If you have any questions or comments about this advisory: * Chat with us on Discord: https://discord.gg/8qatqBC

Metadata

Created: 2021-12-06T23:57:59Z
Modified: 2024-09-23T16:02:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-xr38-w74q-r8jv/GHSA-xr38-w74q-r8jv.json
CWE IDs: ["CWE-862", "CWE-863"]
Alternative ID: GHSA-xr38-w74q-r8jv
Finding: F039
Auto approve: 1