Lucene search

GoogleOSV:GHSA-9RJ9-5WCV-XGF2

HistoryMay 02, 2022 - 3:38 a.m.

Roundup Improper Access Control

2022-05-0203:38:04

Google

osv.dev

6.6 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

60.1%

JSON

The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2.1, 1.4 through 1.4.6, and possibly other versions does not properly check permissions, which allows remote authenticated users with edit or create privileges for a class to modify arbitrary items within that class, as demonstrated by editing all queries, modifying settings, and adding roles to users.

CPENameOperatorVersion
roundupeq1.4.5.1
roundupeq1.4.4
roundupeq1.4.0
roundupeq1.4.3
roundupeq1.4.1
roundupeq1.2.0
roundupeq1.4.6
roundupeq1.4.2

Name	Operator	Version
roundup	eq	1.4.5.1
roundup	eq	1.4.4
roundup	eq	1.4.0
roundup	eq	1.4.3
roundup	eq	1.4.1
roundup	eq	1.2.0
roundup	eq	1.4.6
roundup	eq	1.4.2

References

bugs.debian.org/cgi-bin/bugreport.cgi?bug=518768

issues.roundup-tracker.org/issue2550521

secunia.com/advisories/34192

www.debian.org/security/2009/dsa-1754

www.osvdb.org/56368

www.securityfocus.com/bid/34059

bugzilla.redhat.com/show_bug.cgi?id=489355

github.com/roundup-tracker/roundup/blob/d24abceaa19072b28e5c8ae0db4dd341597d14fc/CHANGES.txt#L2356

nvd.nist.gov/vuln/detail/CVE-2009-2737

sourceforge.net/p/roundup/code/ci/4081

www.redhat.com/archives/fedora-package-announce/2009-March/msg00429.html

www.redhat.com/archives/fedora-package-announce/2009-March/msg00439.html