GHSA-hvp4-vrv2-8wrq
First published: Thu Feb 08 2024(Updated: )
### Impact The attachment file of an existing record can be replaced if the user has `"read"` permission on one of the parent (collection or bucket). And if the `"read"` permission is given to `"system.Everyone"` on one of the parent, then the attachment can be replaced on a record using an anonymous request. Note that if the parent has no explicit read permission, then the records attachments are safe. ### Patches - Patch released in kinto-attachment 6.4.0 - https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1 ### Workarounds None if the read permission has to remain granted. Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended. ### References - https://bugzilla.mozilla.org/show_bug.cgi?id=1879034
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/kinto-attachment | <=6.3.2 | 6.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hvp4-vrv2-8wrq
- alias/CVE-2024-1314
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- collector/github-advisory
- package-manager/pip