CVE-2026-24749
MEDIUM5.3EPSS 0.01%Silverstripe Assets Module has a DBFile::getURL() permission bypass
描述
### Impact Images rendered in templates or otherwise accessed via `DBFile::getURL()` or `DBFile::getSourceURL()` incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like `ScaleWidth()` or `Convert()`. Note that if you use `DBFile` directly in the `$db` configuration for a `DataObject` class that doesn't subclass `File`, and if you were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If you do not want to explicitly provide access grants for these files (i.e. you want these files to be accessible by default), you should use the "public" visibility. ### Reported by Restruct web & apps
受影響套件(1)
- Packagist/silverstripe/assetsfrom 0, < 2.4.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-24749
- PATCHhttps://github.com/silverstripe/silverstripe-assets
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2026-24749.yaml
- WEBhttps://github.com/silverstripe/silverstripe-assets/security/advisories/GHSA-jgcf-rf45-2f8v
- WEBhttps://www.silverstripe.org/download/security-releases/cve-2026-24749