kinto-dist (>=0.7.0 <=18.0.2) potentially affected by CVE-2024-1314 via kinto-attachment (>=0.8.0 <=6.0.2)

kinto-attachment PYPI version =0.8.0, =0.7.0, =18.0.2 Source cves: CVE-2024-1314 Source advisory: OSV:GHSA-HVP4-VRV2-8WRQ...

Kinto Attachment's attachments can be replaced on read-only records

Impact The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent collection or bucket. And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request...

GHSA-HVP4-VRV2-8WRQ Kinto Attachment's attachments can be replaced on read-only records

Impact The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent collection or bucket. And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request...

PT-2024-17934 · Unknown · Kinto-Attachment

Name of the Vulnerable Software and Affected Versions: kinto-attachment versions prior to 6.4.0 Description: The issue allows an attachment file of an existing record to be replaced if a user has read permission on one of the parent collections or buckets. Furthermore, if the read permission is...