CVE-2023-0609

MEDIUM6.5EPSS 0.16%

wallabag contains Improper Authorization via export feature

發布日:2023/2/2修改日:2023/11/8
也稱為:GHSA-qwx8-mxxx-mg96

描述

# Description The export feature lets a user export a single entry or a set of entries in a given format (_e.g. PDF, MOBI, TXT_). For example, `https://yourinstance.wallabag.org/export/45.pdf` will export the entry with id 45 in PDF format. Since wallabag 2.0.0-alpha.1, this feature is vulnerable to an insecure direct object reference attack. A logged user can export any single entry without ownership validation. This is due to a lack of access validation in the `downloadEntryAction` method. **You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.** # Resolution A user check is now done in the vulnerable method before sending the exported entry. The `Entry` retrieval through a `ParamConverter` has also been replaced with a call to the `EntryRepository` in order to prevent any information disclosure through response discrepancy. # Workaround If you are unable to update to the latest version or if you want to temporarily limit risk of exploitation, you may consider blocking requests to the endpoint `/export/*`. E.g. with nginx: ``` nginx location /export { deny all; } ``` # Credits We would like to thank @bAuh0lz for reporting this issue through huntr.dev. Reference: https://www.huntr.dev/bounties/3adef66f-fc86-4e6d-a540-2ffa59342ff0/

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1MEDIUM6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

參考連結(5)