Skip to content

Permissions not properly checked when a record is published.

Moderate
lnielsen published GHSA-xr38-w74q-r8jv Dec 6, 2021

Package

pip invenio-app-rdm (pip)

Affected versions

<6.0.0, 7.0.0.dev0, 7.0.0.dev1, 7.0.0.dev2, 7.0.0.dev3, 7.0.0.dev4

Patched versions

6.0.5,7.0.0.dev5+
pip invenio-drafts-resources (pip)
<0.13.7,0.14.0,0.14.1,0.14.2,0.14.3,0.14.5
0.13.7,0.14.6
pip invenio-rdm-records (pip)
<0.32.6,0.33.0-0.33.9
0.32.6+,0.33.10+

Description

Impact

Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public.

Details

The service's publish() method contains the following permission check:

def publish(..):
    self.require_permission(identity, "publish")

However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.

def publish(..):
    self.require_permission(identity, "publish", record=record)

The bug is activated in Invenio-RDM-Records which has a need generator called RecordOwners(), which when no record is passed in defaults to allow any authenticated user:

class RecordOwners(Generator):
    def needs(self, record=None, **kwargs):
        if record is None:
            return [authenticated_user]
    # ...

Patches

The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6+, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively.

You can verify the version installed of Invenio-Drafts-Resources via PIP:

cd ~/src/my-site
pipenv run pip freeze | grep invenio-drafts-resources

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE ID

CVE-2021-43781

Weaknesses

No CWEs

Credits