CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-GXPM-CPXC-WXVH
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42The ZXR10 1800-2S before v3.00.40 incorrectly restricts access to a resource from an unauthorized actor, resulting in ordinary users being able to download configuration files to steal information like administrator accounts and passwords.
{
"affected": [],
"aliases": [
"CVE-2017-10930"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-19T14:29:00Z",
"severity": "CRITICAL"
},
"details": "The ZXR10 1800-2S before v3.00.40 incorrectly restricts access to a resource from an unauthorized actor, resulting in ordinary users being able to download configuration files to steal information like administrator accounts and passwords.",
"id": "GHSA-gxpm-cpxc-wxvh",
"modified": "2022-05-13T01:42:02Z",
"published": "2022-05-13T01:42:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10930"
},
{
"type": "WEB",
"url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008262"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H2JJ-VR3R-H3V5
Vulnerability from github – Published: 2023-01-03 00:30 – Updated: 2023-01-09 21:30The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.
{
"affected": [],
"aliases": [
"CVE-2022-4236"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-02T22:15:00Z",
"severity": "MODERATE"
},
"details": "The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.",
"id": "GHSA-h2jj-vr3r-h3v5",
"modified": "2023-01-09T21:30:22Z",
"published": "2023-01-03T00:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4236"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/436d8894-dab8-41ea-8ed0-a3338aded635"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H52Q-725P-338M
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04A vulnerability exists in gowitness < 2.3.6 that allows an unauthenticated attacker to perform an arbitrary file read using the file:// scheme in the url parameter to get an image of any file.
{
"affected": [],
"aliases": [
"CVE-2021-33359"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in gowitness \u003c 2.3.6 that allows an unauthenticated attacker to perform an arbitrary file read using the file:// scheme in the url parameter to get an image of any file.",
"id": "GHSA-h52q-725p-338m",
"modified": "2022-05-24T19:04:30Z",
"published": "2022-05-24T19:04:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33359"
},
{
"type": "WEB",
"url": "https://github.com/sensepost/gowitness/releases/tag/2.3.6"
},
{
"type": "WEB",
"url": "https://twitter.com/leonjza/status/1395283512433971202?s=19"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H54V-P7XG-RQM5
Vulnerability from github – Published: 2024-12-05 15:31 – Updated: 2024-12-05 15:31Configuration Download vulnerabilities allow access to dependency configuration information. Affected products:
ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02
{
"affected": [],
"aliases": [
"CVE-2024-51542"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-05T13:15:07Z",
"severity": "HIGH"
},
"details": "Configuration Download vulnerabilities allow access to dependency configuration information.\u00a0\nAffected products:\n\n\nABB ASPECT - Enterprise v3.08.02; \nNEXUS Series v3.08.02; \nMATRIX Series v3.08.02",
"id": "GHSA-h54v-p7xg-rqm5",
"modified": "2024-12-05T15:31:02Z",
"published": "2024-12-05T15:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51542"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H5FG-JPGR-RV9C
Vulnerability from github – Published: 2025-10-22 19:38 – Updated: 2025-10-22 19:38Description
There is a flaw in the hidden file protection feature of Vert.x Web’s StaticHandler when setIncludeHidden(false) is configured.
In the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (.) are treated as “hidden” and are blocked from being served. However, this logic fails in the following cases:
- Files under hidden directories: For example,
/.secret/config.txt— although.secretis a hidden directory, the fileconfig.txtitself does not start with a dot, so it gets served. - Real-world impact: Sensitive files placed in hidden directories like
.git,.env,.awsmay become publicly accessible.
As a result, the behavior does not meet the expectations set by the includeHidden=false configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information.
Steps to Reproduce
1. Prepare test environment
# Create directory structure
mkdir -p src/test/resources/webroot/.secret
mkdir -p src/test/resources/webroot/.git
# Place test files
echo "This is a visible file" > src/test/resources/webroot/visible.txt
echo "This is a hidden file" > src/test/resources/webroot/.hidden.txt
echo "SECRET DATA: API_KEY=abc123" > src/test/resources/webroot/.secret/config.txt
echo "Git config data" > src/test/resources/webroot/.git/config
2. Implement test server
import io.vertx.core.AbstractVerticle;
import io.vertx.core.Vertx;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.handler.StaticHandler;
public class StaticHandlerTestServer extends AbstractVerticle {
@Override
public void start() {
Router router = Router.router(vertx);
// Configure to not serve hidden files
StaticHandler staticHandler = StaticHandler.create("src/test/resources/webroot")
.setIncludeHidden(false)
.setDirectoryListing(false);
router.route("/*").handler(staticHandler);
vertx.createHttpServer()
.requestHandler(router)
.listen(8082);
}
public static void main(String[] args) {
Vertx vertx = Vertx.vertx();
vertx.deployVerticle(new StaticHandlerTestServer());
}
}
3. Confirm the vulnerability
# Normal file (accessible)
curl http://localhost:8082/visible.txt
# Result: 200 OK
# Hidden file (correctly blocked)
curl http://localhost:8082/.git
# Result: 404 Not Found
# File under hidden directory (vulnerable)
curl http://localhost:8082/.git/config
# Result: 200 OK - Returns contents of Git config
Potential Impact
1. Information Disclosure
Examples of sensitive files that could be exposed:
.git/config: Git repository settings (e.g., remote URL, credentials).env/*: Environment variables (API keys, DB credentials).aws/credentials: AWS access keys.ssh/known_hosts: SSH host trust info.docker/config.json: Docker registry credentials
2. Attack Scenarios
- Attackers can guess common hidden directory names and enumerate filenames under them to access confidential data.
- Especially dangerous for
.git/HEAD,.git/config,.git/objects/*— which may allow full reconstruction of source code.
3. Affected Scope
- Affected version: Vert.x Web 5.1.0-SNAPSHOT (likely earlier versions as well)
- Environments: All OSes (Windows, Linux, macOS)
- Configurations: All applications using
StaticHandler.setIncludeHidden(false)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.vertx:vertx-web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.4"
},
"package": {
"ecosystem": "Maven",
"name": "io.vertx:vertx-web"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-11965"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-22T19:38:04Z",
"nvd_published_at": "2025-10-22T15:15:31Z",
"severity": "MODERATE"
},
"details": "# Description\n\nThere is a flaw in the hidden file protection feature of Vert.x Web\u2019s `StaticHandler` when `setIncludeHidden(false)` is configured.\n\nIn the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (`.`) are treated as \u201chidden\u201d and are blocked from being served. However, this logic fails in the following cases:\n\n- **Files under hidden directories**: For example, `/.secret/config.txt` \u2014 although `.secret` is a hidden directory, the file `config.txt` itself does not start with a dot, so it gets served.\n- **Real-world impact**: Sensitive files placed in hidden directories like `.git`, `.env`, `.aws` may become publicly accessible.\n\nAs a result, the behavior does not meet the expectations set by the `includeHidden=false` configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information.\n\n# Steps to Reproduce\n\n```bash\n1. Prepare test environment\n\n# Create directory structure\nmkdir -p src/test/resources/webroot/.secret\nmkdir -p src/test/resources/webroot/.git\n\n# Place test files\necho \"This is a visible file\" \u003e src/test/resources/webroot/visible.txt\necho \"This is a hidden file\" \u003e src/test/resources/webroot/.hidden.txt\necho \"SECRET DATA: API_KEY=abc123\" \u003e src/test/resources/webroot/.secret/config.txt\necho \"Git config data\" \u003e src/test/resources/webroot/.git/config\n```\n\n```java\n2. Implement test server\n\nimport io.vertx.core.AbstractVerticle;\nimport io.vertx.core.Vertx;\nimport io.vertx.ext.web.Router;\nimport io.vertx.ext.web.handler.StaticHandler;\n\npublic class StaticHandlerTestServer extends AbstractVerticle {\n @Override\n public void start() {\n Router router = Router.router(vertx);\n\n // Configure to not serve hidden files\n StaticHandler staticHandler = StaticHandler.create(\"src/test/resources/webroot\")\n .setIncludeHidden(false)\n .setDirectoryListing(false);\n\n router.route(\"/*\").handler(staticHandler);\n\n vertx.createHttpServer()\n .requestHandler(router)\n .listen(8082);\n }\n\n public static void main(String[] args) {\n Vertx vertx = Vertx.vertx();\n vertx.deployVerticle(new StaticHandlerTestServer());\n }\n}\n```\n\n```bash\n3. Confirm the vulnerability\n\n# Normal file (accessible)\ncurl http://localhost:8082/visible.txt\n# Result: 200 OK\n\n# Hidden file (correctly blocked)\ncurl http://localhost:8082/.git\n# Result: 404 Not Found\n\n# File under hidden directory (vulnerable)\ncurl http://localhost:8082/.git/config\n# Result: 200 OK - Returns contents of Git config\n```\n\n# Potential Impact\n\n## 1. Information Disclosure\n\nExamples of sensitive files that could be exposed:\n\n- `.git/config`: Git repository settings (e.g., remote URL, credentials)\n- `.env/*`: Environment variables (API keys, DB credentials)\n- `.aws/credentials`: AWS access keys\n- `.ssh/known_hosts`: SSH host trust info\n- `.docker/config.json`: Docker registry credentials\n\n## 2. Attack Scenarios\n\n- Attackers can guess common hidden directory names and enumerate filenames under them to access confidential data.\n- Especially dangerous for `.git/HEAD`, `.git/config`, `.git/objects/*` \u2014 which may allow full reconstruction of source code.\n\n## 3. Affected Scope\n\n- **Affected version**: Vert.x Web 5.1.0-SNAPSHOT (likely earlier versions as well)\n- **Environments**: All OSes (Windows, Linux, macOS)\n- **Configurations**: All applications using `StaticHandler.setIncludeHidden(false)`",
"id": "GHSA-h5fg-jpgr-rv9c",
"modified": "2025-10-22T19:38:04Z",
"published": "2025-10-22T19:38:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vert-x3/vertx-web/security/advisories/GHSA-h5fg-jpgr-rv9c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11965"
},
{
"type": "PACKAGE",
"url": "https://github.com/vert-x3/vertx-web"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/304"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Vert.x-Web Access Control Flaw in StaticHandler\u2019s Hidden File Protection for Files Under Hidden Directories"
}
GHSA-H5W8-M6JQ-QMXF
Vulnerability from github – Published: 2026-03-04 15:30 – Updated: 2026-03-04 15:30Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0.
HINT: Versions provided apply to BlueSpice MediaWiki releases. For Extension:NSFileRepo the affected versions are 3.0 < 3.0.5
{
"affected": [],
"aliases": [
"CVE-2026-24732"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T13:15:58Z",
"severity": "MODERATE"
},
"details": "Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0.\n\nHINT: Versions provided apply to BlueSpice MediaWiki releases. For\u00a0Extension:NSFileRepo the affected versions are 3.0 \u003c 3.0.5",
"id": "GHSA-h5w8-m6jq-qmxf",
"modified": "2026-03-04T15:30:35Z",
"published": "2026-03-04T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24732"
},
{
"type": "WEB",
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2026-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:L/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H69C-WC8M-XGV4
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:57Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP.
{
"affected": [],
"aliases": [
"CVE-2019-13140"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-16T17:15:00Z",
"severity": "MODERATE"
},
"details": "Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the \"user\" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP.",
"id": "GHSA-h69c-wc8m-xgv4",
"modified": "2024-04-04T01:57:28Z",
"published": "2022-05-24T16:56:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13140"
},
{
"type": "WEB",
"url": "https://twitter.com/GerardFuguet/status/1169298861782896642"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/docs/47397"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47390"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154494/Inteno-IOPSYS-Gateway-3DES-Key-Extraction-Improper-Access.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H84W-MW8F-PJ69
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-20 00:01A vulnerability using PendingIntent in Accessibility prior to version 12.5.3.2 in Android R(11.0) and 13.0.1.1 in Android S(12.0) allows attacker to access the file with system privilege.
{
"affected": [],
"aliases": [
"CVE-2022-27837"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability using PendingIntent in Accessibility prior to version 12.5.3.2 in Android R(11.0) and 13.0.1.1 in Android S(12.0) allows attacker to access the file with system privilege.",
"id": "GHSA-h84w-mw8f-pj69",
"modified": "2022-04-20T00:01:01Z",
"published": "2022-04-12T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27837"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H877-4279-QCFV
Vulnerability from github – Published: 2025-03-07 18:31 – Updated: 2025-09-19 18:31A files or directories accessible to external parties vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers to read/write files or directories.
We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4741 and later
{
"affected": [],
"aliases": [
"CVE-2024-48864"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-07T17:15:18Z",
"severity": "MODERATE"
},
"details": "A files or directories accessible to external parties vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers to read/write files or directories.\n\nWe have already fixed the vulnerability in the following versions:\nFile Station 5 5.5.6.4741 and later",
"id": "GHSA-h877-4279-qcfv",
"modified": "2025-09-19T18:31:19Z",
"published": "2025-03-07T18:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48864"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-24-55"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HF59-7RWQ-785M
Vulnerability from github – Published: 2024-10-23 17:22 – Updated: 2025-04-14 22:10Impact
What kind of vulnerability is it? Who is impacted?
In certain very specific situations, it was possible for the policies of an update action to be skipped. This occurred only on "empty" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger.
You must have an update action that:
- Is on a resource with no attributes containing an "update default" (updated_at timestamp, for example)
- can be performed atomically.
- Does not have
require_atomic? false - Has at least one authorizer (typically
Ash.Policy.Authorizer) - Has at least one
change(on the resource'schangesblock or in the action itself) This is where the side-effects would be performed when they should not have been.
- Is there ever a place where you call this action manually, using
Ash.update. Note that AshGraphql and AshJsonApi action calls are not affected as they useAsh.bulk_update. - If so, is there ever a case where you call the action with zero inputs, and have it produce zero changing fields.
- If so, could it then produce a side effect. This means you'd have an after_action hook that calls some other resource.
- If so, does that side effect bypass another resource's policies, i.e using
authorize?: false, or not providing the same actor.
Everything above the line can be checked with the provided script. Everything below it, must be checked manually. The script for checking this is available in the "Might I be affected" section.
The script can have false positives, but will not have any false negatives. So if you run the script, and it says "No potential vulnerabilities found", then all you need to do is update ash_postgres.
Patches
This problem has been patched in 2.4.10 of ash_postgres.
Workarounds
You could:
- Determine that none of your actions are vulnerable using the script.
- Add
require_atomic? falseto any potentially affected update action - Replace any usage of
Ash.updatewithAsh.bulk_updatefor an affected action - add an update timestamp to your action.
Might I be affected
This gist provides a script you can run to detect if you are potentially vulnerable.
https://gist.github.com/zachdaniel/e49166b765978c48dfaf998d06df436e
References
Original Report/discovery: https://elixirforum.com/t/empty-update-action-with-policies/66954 Fix commit: https://github.com/ash-project/ash_postgres/commit/1228fcd851f29a68609e236f7d6a2622a4b5c4ba
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "ash_postgres"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-49756"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-23T17:22:30Z",
"nvd_published_at": "2024-10-23T17:15:19Z",
"severity": "MODERATE"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nIn certain *very specific* situations, it was possible for the policies of an update action to be skipped. This occurred only on \"empty\" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger.\n\nYou must have an update action that:\n\n- Is on a resource with no attributes containing an \"update default\" (updated_at timestamp, for example)\n- can be performed atomically. \n- Does *not* have `require_atomic? false`\n- Has at least one authorizer (typically `Ash.Policy.Authorizer`)\n- Has at least one `change` (on the resource\u0027s `changes` block or in the action itself)\n This is where the side-effects would be performed when they should not have been.\n\n--- \n\n- Is there ever a place where you call this action manually, using `Ash.update`. \n Note that AshGraphql and AshJsonApi action calls are *not* affected as they use `Ash.bulk_update`. \n- If so, is there ever a case where you call the action with zero inputs, and have it produce zero changing fields.\n- If so, could it then produce a side effect. This means you\u0027d have an after_action hook that calls some other resource.\n- If so, does that side effect bypass another resource\u0027s policies, i.e using `authorize?: false`, or not providing the same actor.\n\n\nEverything above the line can be checked with the provided script. Everything below it, must be checked manually. The script for checking this is available in the \"Might I be affected\" section. \n\n**The script can have false *positives*, but will not have any false *negatives*. So if you run the script, and it says \"No potential vulnerabilities found\", then all you need to do is update ash_postgres.** \n\n\n### Patches\nThis problem has been patched in `2.4.10` of `ash_postgres`.\n\n### Workarounds\n\nYou could:\n\n1. Determine that none of your actions are vulnerable using the script.\n2. Add `require_atomic? false` to any potentially affected update action\n3. Replace any usage of `Ash.update` with `Ash.bulk_update` for an affected action\n4. add an update timestamp to your action.\n\n### Might I be affected\n\nThis gist provides a script you can run to detect if you are potentially vulnerable.\n\nhttps://gist.github.com/zachdaniel/e49166b765978c48dfaf998d06df436e\n\n### References\n\nOriginal Report/discovery: https://elixirforum.com/t/empty-update-action-with-policies/66954\nFix commit: https://github.com/ash-project/ash_postgres/commit/1228fcd851f29a68609e236f7d6a2622a4b5c4ba",
"id": "GHSA-hf59-7rwq-785m",
"modified": "2025-04-14T22:10:39Z",
"published": "2024-10-23T17:22:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ash-project/ash_postgres/security/advisories/GHSA-hf59-7rwq-785m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49756"
},
{
"type": "WEB",
"url": "https://github.com/ash-project/ash_postgres/commit/1228fcd851f29a68609e236f7d6a2622a4b5c4ba"
},
{
"type": "WEB",
"url": "https://elixirforum.com/t/empty-update-action-with-policies/66954"
},
{
"type": "WEB",
"url": "https://gist.github.com/zachdaniel/e49166b765978c48dfaf998d06df436e"
},
{
"type": "PACKAGE",
"url": "https://github.com/ash-project/ash_postgres"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "In AshPostgres, empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability."
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.