GHSA-6MHR-52MV-6V6F

Vulnerability from github – Published: 2022-10-18 17:12 – Updated: 2022-10-18 17:12
VLAI?
Summary
Field-level access-control bypass for multiselect field
Details

Impact

@keystone-6/core@2.2.0 || 2.3.0 users who are using the multiselect field, and provided field-level access control - are vulnerable to their field-level access control not being used.

List-level access control is NOT affected.

Field-level access control for fields other than multiselect are NOT affected.

Example, you are vulnerable if you are using field-level access control on a multiselect like the following:

const yourList = list({
  access: {
    // this is list-level access control, this is NOT impacted
  },
  fields: {
    yourFieldName: multiselect({
      // this is field-level access control, for multiselect fields
      //   this is vulnerable
      access: {
        create: ({ session }) => session?.data.isAdmin,
        update: ({ session }) => session?.data.isAdmin,
      },
      options: [
        { value: 'apples', label: 'Apples' },
        { value: 'oranges', label: 'Oranges' },
      ],
      // ...
    }),
    // ...
  },
  // ...
});

Mitigation

Please upgrade to @keystone-6/core >= 2.3.1, where this vulnerability has been closed.

Workarounds

If for some reason you cannot upgrade your dependencies, you should stop using the multiselect field.

Credits

Thanks to Marek R for reporting and submitting the pull request to fix this problem.

If you have any questions around this security advisory, please don't hesitate to contact us at security@keystonejs.com, or open an issue on GitHub.

If you have a security flaw to report for any software in this repository, please see our SECURITY policy.

Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@keystone-6/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-18T17:12:46Z",
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "#### Impact\n\n`@keystone-6/core@2.2.0 || 2.3.0` users who are using the `multiselect` field, and provided field-level access control - are vulnerable to their field-level access control not being used.\n\nList-level access control is **NOT** affected.\n\nField-level access control for fields other than `multiselect` are **NOT** affected.\n\nExample, **you are vulnerable if** you are using field-level access control on a `multiselect` like the following:\n```ts\nconst yourList = list({\n  access: {\n    // this is list-level access control, this is NOT impacted\n  },\n  fields: {\n    yourFieldName: multiselect({\n      // this is field-level access control, for multiselect fields\n      //   this is vulnerable\n      access: {\n        create: ({ session }) =\u003e session?.data.isAdmin,\n        update: ({ session }) =\u003e session?.data.isAdmin,\n      },\n      options: [\n        { value: \u0027apples\u0027, label: \u0027Apples\u0027 },\n        { value: \u0027oranges\u0027, label: \u0027Oranges\u0027 },\n      ],\n      // ...\n    }),\n    // ...\n  },\n  // ...\n});\n```\n\n#### Mitigation\nPlease upgrade to `@keystone-6/core \u003e= 2.3.1`, where this vulnerability has been closed.\n\n#### Workarounds\nIf for some reason you cannot upgrade your dependencies, you should stop using the `multiselect` field.\n\n#### Credits\nThanks to [Marek R](https://github.com/marekryb) for reporting and submitting the pull request to fix this problem.\n\nIf you have any questions around this security advisory, please don\u0027t hesitate to contact us at [security@keystonejs.com](mailto:security@keystonejs.com), or [open an issue on GitHub](https://github.com/keystonejs/keystone/issues/new/choose).\n\nIf you have a security flaw to report for any software in this repository, please see our [SECURITY policy](https://github.com/keystonejs/keystone/blob/main/SECURITY.md).",
  "id": "GHSA-6mhr-52mv-6v6f",
  "modified": "2022-10-18T17:12:46Z",
  "published": "2022-10-18T17:12:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-6mhr-52mv-6v6f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39322"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keystonejs/keystone/commit/65c6ee3deef23605fc72b80230908696a7a65e7c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keystonejs/keystone"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Field-level access-control bypass for multiselect field"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.