Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-1eex-e332-37e8

Summary

Access control issue in ezsystems/ezpublish-kernel
Access control based on object state is mishandled. This is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.

Aliases

alias	CVE-2022-48367

alias	GHSA-h5v2-wrhp-5v35

Fixed_packages

url	pkg:composer/ezsystems/ezpublish-kernel@7.5.28
purl	pkg:composer/ezsystems/ezpublish-kernel@7.5.28
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.28

Affected_packages

url pkg:composer/ezsystems/ezpublish-kernel@7.5.0

purl pkg:composer/ezsystems/ezpublish-kernel@7.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1eex-e332-37e8

vulnerability	VCID-86hr-ej2a-ubbw

vulnerability	VCID-jz3f-vywm-v7a7

vulnerability	VCID-m6hv-1sz4-mfff

vulnerability	VCID-q58t-76x6-mqgp

vulnerability	VCID-tw5w-dvc4-gfh4

vulnerability	VCID-ueng-9gm9-4qb2

vulnerability	VCID-veax-u5rr-4kbv

vulnerability	VCID-vpbp-kn99-hygk

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/ezsystems/ezpublish-kernel@7.5.0

References

reference_url	https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge
reference_id
reference_type
scores
url	https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge

reference_url	https://github.com/ezsystems/ezpublish-kernel
reference_id
reference_type
scores
url	https://github.com/ezsystems/ezpublish-kernel

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-48367
reference_id	CVE-2022-48367
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-48367

reference_url	https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x
reference_id	GHSA-5x4f-7xgq-r42x
reference_type
scores
url	https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x

reference_url	https://github.com/advisories/GHSA-h5v2-wrhp-5v35
reference_id	GHSA-h5v2-wrhp-5v35
reference_type
scores
url	https://github.com/advisories/GHSA-h5v2-wrhp-5v35

Weaknesses

cwe_id	862
name	Missing Authorization
description	The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1eex-e332-37e8

Vulnerability Instance