CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
EPSS
Percentile
21.4%
Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public.
The service’s publish()
method contains the following permission check:
def publish(..):
self.require_permission(identity, "publish")
However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.
def publish(..):
self.require_permission(identity, "publish", record=record)
The bug is activated in Invenio-RDM-Records which has a need generator called RecordOwners()
, which when no record is passed in defaults to allow any authenticated user:
class RecordOwners(Generator):
def needs(self, record=None, **kwargs):
if record is None:
return [authenticated_user]
# ...
The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6+, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively.
You can verify the version installed of Invenio-Drafts-Resources via PIP:
cd ~/src/my-site
pipenv run pip freeze | grep invenio-drafts-resources
If you have any questions or comments about this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
inveniosoftware | invenio-app | * | cpe:2.3:a:inveniosoftware:invenio-app:*:*:*:*:*:*:*:* |
inveniosoftware | invenio-records | * | cpe:2.3:a:inveniosoftware:invenio-records:*:*:*:*:*:*:*:* |
inveniosoftware | invenio-drafts-resources | * | cpe:2.3:a:inveniosoftware:invenio-drafts-resources:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-xr38-w74q-r8jv
github.com/inveniosoftware/invenio-drafts-resources/commit/039b0cff1ad4b952000f4d8c3a93f347108b6626
github.com/inveniosoftware/invenio-drafts-resources/security/advisories/GHSA-xr38-w74q-r8jv
github.com/pypa/advisory-database/tree/main/vulns/invenio-app-rdm/PYSEC-2021-837.yaml
github.com/pypa/advisory-database/tree/main/vulns/invenio-drafts-resources/PYSEC-2021-836.yaml
nvd.nist.gov/vuln/detail/CVE-2021-43781
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
EPSS
Percentile
21.4%