CVE-2023-35167

Опубликовано: 23 июн. 2023

Источник: nvd

CVSS3: 5

CVSS3: 6.3

EPSS Низкий

Описание

Remult is a CRUD framework for full-stack TypeScript. If you used the apiPrefilter option of the @Entity decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the id of an entity instance is not authorized to access, can gain read, update and delete access to it. The issue is fixed in version 0.20.6. As a workaround, set the apiPrefilter option to a filter object instead of a function.

Ссылки

https://github.com/remult/remult/commit/6892ae97134126d8710ef7302bb2fc37730994c5
Patch
https://github.com/remult/remult/releases/tag/v0.20.6
Release Notes
https://github.com/remult/remult/security/advisories/GHSA-7hh3-3x64-v2g9
Third Party Advisory
https://github.com/remult/remult/commit/6892ae97134126d8710ef7302bb2fc37730994c5
Patch
https://github.com/remult/remult/releases/tag/v0.20.6
Release Notes
https://github.com/remult/remult/security/advisories/GHSA-7hh3-3x64-v2g9
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:remult:remult:*:*:*:*:*:node.js:*:*

Версия до 0.20.6 (исключая)

EPSS

Процентиль: 17%

0.00055

Низкий

5 Medium

CVSS3

6.3 Medium

CVSS3

Дефекты

CWE-284

Связанные уязвимости

GHSA-7hh3-3x64-v2g9

CVSS3: 5

github

больше 2 лет назад

When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id

EPSS

Процентиль: 17%

0.00055

Низкий

5 Medium

CVSS3

6.3 Medium

CVSS3

Дефекты

CWE-284