Lucene search

GitHub_MCVELIST:CVE-2024-27105

HistoryMar 20, 2024 - 6:11 p.m.

CVE-2024-27105 Frappe File Permissions can by bypassed using certain endpoints

2024-03-2018:11:58

CWE-863

GitHub_M

www.cve.org

frappe

file permissions

bypass

endpoints

less privileged users

patch

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.

CNA Affected

[
  {
    "vendor": "frappe",
    "product": "frappe",
    "versions": [
      {
        "version": "< 14.66.3",
        "status": "affected"
      },
      {
        "version": ">= 15.0.0, < 15.16.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for CVELIST:CVE-2024-27105