Lucene search

GitHub Advisory DatabaseGHSA-JH3W-6JP2-VQQM

HistoryApr 26, 2023 - 7:47 p.m.

Missing permission check of canView in GridFieldPrintButton

2023-04-2619:47:07

CWE-862

GitHub Advisory Database

github.com

missing permission check

gridfieldprintbutton

silverstripe framework

security issue

upgrade

relaxt webdienstleistungsagentur gmbh

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

29.6%

JSON

The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access.

Upgrade to silverstripe/framework 4.12.5 or above to address the issue.

Reported by Stephan Bauer from relaxt Webdienstleistungsagentur GmbH

Affected configurations

Vulners

Node

silverstripeframeworkRange<4.12.5

VendorProductVersionCPE
silverstripeframework*cpe:2.3:a:silverstripe:framework:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
silverstripe	framework	*	cpe:2.3:a:silverstripe:framework::::::::

References

github.com/advisories/GHSA-jh3w-6jp2-vqqm

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-22728.yaml

github.com/silverstripe/silverstripe-framework/commit/fd5d8217e83768d7bf841e94b2d4d82642d5bc58

github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-jh3w-6jp2-vqqm

nvd.nist.gov/vuln/detail/CVE-2023-22728

www.silverstripe.org/download/security-releases/cve-2023-22728

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

29.6%

JSON

Related for GHSA-JH3W-6JP2-VQQM