Lucene search

GitHub_MCVELIST:CVE-2024-27105

HistoryMar 20, 2024 - 6:11 p.m.

CVE-2024-27105 Frappe File Permissions can by bypassed using certain endpoints

2024-03-2018:11:58

CWE-863

GitHub_M

www.cve.org

frappe

file permissions

bypass

endpoints

less privileged users

patch

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

Percentile

9.0%

JSON

Frappe is a full-stack web application framework. Prior to versions 14.66.3 and 15.16.0, file permission can be bypassed using certain endpoints, granting less privileged users permission to delete or clone a file. Versions 14.66.3 and 15.16.0 contain a patch for this issue. No known workarounds are available.

CNA Affected

[
  {
    "vendor": "frappe",
    "product": "frappe",
    "versions": [
      {
        "version": "< 14.66.3",
        "status": "affected"
      },
      {
        "version": ">= 15.0.0, < 15.16.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-27105