Описание
Permissions not properly checked in Invenio-Drafts-Resources
Impact
Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public.
Details
The service's publish() method contains the following permission check:
However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.
The bug is activated in Invenio-RDM-Records which has a need generator called RecordOwners(), which when no record is passed in defaults to allow any authenticated user:
Patches
The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6+, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively.
You can verify the version installed of Invenio-Drafts-Resources via PIP:
References
For more information
If you have any questions or comments about this advisory:
- Chat with us on Discord: https://discord.gg/8qatqBC
Ссылки
- https://github.com/inveniosoftware/invenio-drafts-resources/security/advisories/GHSA-xr38-w74q-r8jv
- https://nvd.nist.gov/vuln/detail/CVE-2021-43781
- https://github.com/inveniosoftware/invenio-drafts-resources/commit/039b0cff1ad4b952000f4d8c3a93f347108b6626
- https://github.com/pypa/advisory-database/tree/main/vulns/invenio-app-rdm/PYSEC-2021-837.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/invenio-drafts-resources/PYSEC-2021-836.yaml
Пакеты
invenio-drafts-resources
< 0.13.7
0.13.7
invenio-app-rdm
< 6.0.5
6.0.5
invenio-rdm-records
< 0.32.6
0.32.6
invenio-drafts-resources
>= 0.14.0, < 0.14.6
0.14.6
invenio-rdm-records
>= 0.33.0, < 0.33.10
0.33.10
invenio-app-rdm
>= 7.0.0.dev0, < 7.0.0.dev5
7.0.0.dev5
EPSS
5.1 Medium
CVSS4
6.4 Medium
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively.
EPSS
5.1 Medium
CVSS4
6.4 Medium
CVSS3