Lucene search

GoogleOSV:GHSA-35JJ-VQCF-F2JF

HistoryApr 26, 2023 - 7:45 p.m.

Hidden fields can be leaked on readable collections in Payload

2023-04-2619:45:04

Google

osv.dev

hidden fields

readable collections

payload

user access

brute force

workaround

beforeoperation hook

where queries

compromise detection

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

35.0%

JSON

Details

If a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force.

Affected versions: < 1.7.0

Workarounds

If you are unable to update, you can write a beforeOperation hook to remove where queries that attempt to access hidden field data.

Detecting Compromise

Monitor your instance for brute-force style requests against your instance using where queries.

References

github.com/payloadcms/payload

github.com/payloadcms/payload/releases/tag/v1.7.0

github.com/payloadcms/payload/security/advisories/GHSA-35jj-vqcf-f2jf

nvd.nist.gov/vuln/detail/CVE-2023-30843

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

35.0%

JSON

Related for OSV:GHSA-35JJ-VQCF-F2JF