Описание
Lack of access control on upoaded files
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-12245
- https://forum.silverstripe.org/c/releases
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2019-12245.yaml
- https://www.silverstripe.org/download/security-releases
- https://www.silverstripe.org/download/security-releases/CVE-2019-12245
- https://www.silverstripe.org/download/security-releases/cve-2019-12245
Пакеты
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
< 3.6.8
3.6.8
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 3.7.0, < 3.7.4
3.7.4
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 4.0.0, < 4.3.6
4.3.6
Наименование
silverstripe/framework
composer
Затронутые версииВерсия исправления
>= 4.4.0, < 4.4.4
4.4.4
Наименование
silverstripe/assets
composer
Затронутые версииВерсия исправления
>= 1.0.0, < 1.3.5
1.3.5
Наименование
silverstripe/assets
composer
Затронутые версииВерсия исправления
>= 1.4.0, < 1.4.4
1.4.4
Связанные уязвимости
CVSS3: 5.3
nvd
больше 6 лет назад
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.