Lucene search
GoogleOSV:GHSA-R578-PJ6F-R4FFHistoryJun 21, 2021 - 5:07 p.m.
Auto-merging Person Records Compromised
2021-06-2117:07:47
Google
osv.dev
10
0.002 Low
EPSS
Percentile
62.1%
Impact
New user registrations are able to access anyone’s account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events).
Patches
We have released a security patch on v2.20.0. The solution was to create a duplicate person and then patch the new person with their profile details.
Workarounds
If you do not wish to upgrade your app to the new version, you can patch your server by overriding the create data source method on the People class.
create = async (profile) => {
const rockUpdateFields = this.mapApollosFieldsToRock(profile);
// auto-merge functionality is compromised
// we are creating a new user and patching them with profile details
const id = await this.post('/People', {
Gender: 0, // required by Rock. Listed first so it can be overridden.
IsSystem: false, // required by rock
});
await this.patch(`/People/${id}`, {
...rockUpdateFields,
});
return id;
};
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
| CPE | Name | Operator | Version |
|---|---|---|---|
| @apollosproject/data-connector-rock | lt | 2.20.0 |
Related
gitlab
gitlab
Improper Authentication
2021-06-16 00:00:00
cve
cve
CVE-2021-32691
2021-06-16 22:15:07
osv
osv
CVE-2021-32691
2021-06-16 22:15:07
veracode
veracode
Information Disclosure
2021-06-18 06:07:32
cnvd
cnvd
Apollos Apps licensing issue vulnerability
2021-06-18 00:00:00
prion
prion
Information disclosure
2021-06-16 22:15:00
cvelist
cvelist
CVE-2021-32691 Auto-merging Person Records Compromised
2021-06-16 21:45:13
nvd
nvd
CVE-2021-32691
2021-06-16 22:15:07
github
github
Auto-merging Person Records Compromised
2021-06-21 17:07:47