cvelistv5 - cve-2022-21683

URL	Tags
security-advisories@github.com	https://github.com/wagtail/wagtail/commit/5fe901e5d86ed02dbbb63039a897582951266afd	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/wagtail/wagtail/releases/tag/v2.15.2	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889	Mitigation, Third Party Advisory

gsd-2022-21683

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file.

Aliases

CVE-2022-21683

Aliases

CVE-2022-21683

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-21683",
    "description": "Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file.",
    "id": "GSD-2022-21683"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-21683"
      ],
      "details": "Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file.",
      "id": "GSD-2022-21683",
      "modified": "2023-12-13T01:19:14.526729Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-21683",
        "STATE": "PUBLIC",
        "TITLE": "Comment reply notifications sent to incorrect users in wagtail"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "wagtail",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 2.13, \u003c 2.15.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "wagtail"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889",
            "refsource": "CONFIRM",
            "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889"
          },
          {
            "name": "https://github.com/wagtail/wagtail/commit/5fe901e5d86ed02dbbb63039a897582951266afd",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/commit/5fe901e5d86ed02dbbb63039a897582951266afd"
          },
          {
            "name": "https://github.com/wagtail/wagtail/releases/tag/v2.15.2",
            "refsource": "MISC",
            "url": "https://github.com/wagtail/wagtail/releases/tag/v2.15.2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-xqxm-2rpm-3889",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.13,\u003c2.15.2",
          "affected_versions": "All versions starting from 2.13 before 2.15.2",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-200",
            "CWE-937"
          ],
          "date": "2022-01-26",
          "description": "Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file.",
          "fixed_versions": [
            "2.15.2"
          ],
          "identifier": "CVE-2022-21683",
          "identifiers": [
            "CVE-2022-21683",
            "GHSA-xqxm-2rpm-3889"
          ],
          "not_impacted": "All versions before 2.13, all versions starting from 2.15.2",
          "package_slug": "pypi/wagtail",
          "pubdate": "2022-01-18",
          "solution": "Upgrade to version 2.15.2 or above.",
          "title": "Exposure of Sensitive Information to an Unauthorized Actor",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-21683",
            "https://github.com/wagtail/wagtail/commit/5fe901e5d86ed02dbbb63039a897582951266afd",
            "https://github.com/wagtail/wagtail/releases/tag/v2.15.2",
            "https://github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889"
          ],
          "uuid": "ebda1f90-f629-4072-959f-4e69032467b5"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.15.2",
                "versionStartIncluding": "2.13",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21683"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/wagtail/wagtail/commit/5fe901e5d86ed02dbbb63039a897582951266afd",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/wagtail/wagtail/commit/5fe901e5d86ed02dbbb63039a897582951266afd"
            },
            {
              "name": "https://github.com/wagtail/wagtail/releases/tag/v2.15.2",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/wagtail/wagtail/releases/tag/v2.15.2"
            },
            {
              "name": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-01-26T18:16Z",
      "publishedDate": "2022-01-18T18:15Z"
    }
  }
}

pysec-2022-13

Vulnerability from pysec

Published

2022-01-18 18:15

Modified

2022-01-26 19:22

Details

Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting WAGTAILADMIN_COMMENTS_ENABLED = False in the Django settings file.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail",
        "purl": "pkg:pypi/wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5fe901e5d86ed02dbbb63039a897582951266afd"
            }
          ],
          "repo": "https://github.com/wagtail/wagtail",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2.13"
            },
            {
              "fixed": "2.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.13",
        "2.13.1",
        "2.13.2",
        "2.13.3",
        "2.13.4",
        "2.13.5",
        "2.14",
        "2.14.1",
        "2.14.2",
        "2.14rc1",
        "2.15",
        "2.15.1",
        "2.15rc1",
        "2.15rc2"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21683",
    "GHSA-xqxm-2rpm-3889"
  ],
  "details": "Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file.",
  "id": "PYSEC-2022-13",
  "modified": "2022-01-26T19:22:48.977586Z",
  "published": "2022-01-18T18:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/wagtail/wagtail/commit/5fe901e5d86ed02dbbb63039a897582951266afd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v2.15.2"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889"
    }
  ]
}

ghsa-xqxm-2rpm-3889

Vulnerability from github

Published

2022-01-21 23:43

Modified

2024-11-19 16:03

Severity ?

3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

Comment reply notifications sent to incorrect users

Details

Impact

When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not had editing access to, as long as they have left a comment or reply somewhere on the site.

Patches

A patched version has been released as Wagtail 2.15.2 (for the current LTS), which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered).

Workarounds

New comments can be disabled by setting WAGTAILADMIN_COMMENTS_ENABLED = False in the Django settings file.

Acknowledgements

Many thanks to Ihor Marhitych for identifying this issue.

For more information

If you have any questions or comments about this advisory:

Visit Wagtail's support channels
Email us at security@wagtail.io (if you wish to send encrypted email, the public key ID is 0x6ba1e1a86e0f8ce8)

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13"
            },
            {
              "fixed": "2.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21683"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-18T21:16:18Z",
    "nvd_published_at": "2022-01-18T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not had editing access to, as long as they have left a comment or reply somewhere on the site.\n\n### Patches\nA patched version has been released as Wagtail 2.15.2 (for the current LTS), which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered).\n\n### Workarounds\nNew comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file.\n\n### Acknowledgements\n\nMany thanks to Ihor Marhitych for identifying this issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.io/en/stable/support.html)\n* Email us at security@wagtail.io (if you wish to send encrypted email, the public key ID is `0x6ba1e1a86e0f8ce8`)\n",
  "id": "GHSA-xqxm-2rpm-3889",
  "modified": "2024-11-19T16:03:44Z",
  "published": "2022-01-21T23:43:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xqxm-2rpm-3889"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21683"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/5fe901e5d86ed02dbbb63039a897582951266afd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2022-13.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wagtail/wagtail"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/releases/tag/v2.15.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Comment reply notifications sent to incorrect users"
}

cve-2022-21683

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2022-21683

Vulnerability from cvelistv5

gsd-2022-21683

Vulnerability from gsd

pysec-2022-13

Vulnerability from pysec

ghsa-xqxm-2rpm-3889

Vulnerability from github

Impact

Patches

Workarounds

Acknowledgements

For more information

Tags

Sightings

Nomenclature