CVE-2024-1314

描述

### Impact The attachment file of an existing record can be replaced if the user has `"read"` permission on one of the parent (collection or bucket). And if the `"read"` permission is given to `"system.Everyone"` on one of the parent, then the attachment can be replaced on a record using an anonymous request. Note that if the parent has no explicit read permission, then the records attachments are safe. ### Patches - Patch released in kinto-attachment 6.4.0 - https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1 ### Workarounds None if the read permission has to remain granted. Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended. ### References - https://bugzilla.mozilla.org/show_bug.cgi?id=1879034

如何修補 CVE-2024-1314

要修補 CVE-2024-1314,請將受影響套件升級到下列已修補版本。

• —升級至 6.4.0 或更新版本

CVE-2024-1314 正在被利用嗎?

目前沒有被利用訊號。CVE-2024-1314 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• from 0, < 6.4.0

CVSS 分數

參考連結(4)

• PATCHgithub.com/Kinto/kinto-attachment
• WEBbugzilla.mozilla.org/show_bug.cgi?id=1879034
• WEBgithub.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1
• WEBgithub.com/Kinto/kinto-attachment/security/advisories/GHSA-hvp4-vrv2-8wrq