GHSA-CF2J-VF36-C6W8

Vulnerability from github – Published: 2021-11-01 19:18 – Updated: 2021-10-29 17:26
VLAI?
Summary
Communities and collections administrators can escalate their privilege up to system administrator
Details

Impact

Any community or collection administrator can escalate their permission up to become system administrator.

This vulnerability only existed in 7.0 and does not impact 6.x or below.

Patches

Fix is included in 7.1. Please upgrade to 7.1 at your earliest convenience.

Workarounds

In 7.0, temporarily disable the ability for community or collection administrators to manage permissions or workflows settings, i.e. set the following properties in your local.cfg / dspace.cfg file

core.authorization.collection-admin.policies = false
core.authorization.community-admin.policies = false
core.authorization.community-admin.collection.workflows = false

Once upgraded to 7.1, these settings can be safely reverted to the default values of true.

References

Discovered during investigation of https://github.com/DSpace/DSpace/issues/7928

For more information

If you have any questions or comments about this advisory: * Email us at security@dspace.org

Severity ?
7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.dspace:dspace-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0"
            },
            {
              "fixed": "7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-29T17:26:35Z",
    "nvd_published_at": "2021-10-29T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAny community or collection administrator can escalate their permission up to become system administrator.\n\nThis vulnerability only existed in 7.0 and does not impact 6.x or below.\n\n### Patches\nFix is included in [7.1](https://github.com/DSpace/DSpace/releases/tag/dspace-7.1). Please upgrade to 7.1 at your earliest convenience.\n\n### Workarounds\nIn 7.0, temporarily disable the ability for community or collection administrators to manage permissions or workflows settings, i.e. set the following properties in your local.cfg / dspace.cfg file\n```\ncore.authorization.collection-admin.policies = false\ncore.authorization.community-admin.policies = false\ncore.authorization.community-admin.collection.workflows = false\n```\nOnce upgraded to 7.1, these settings can be safely reverted to the default values of `true`.\n\n### References\nDiscovered during investigation of https://github.com/DSpace/DSpace/issues/7928\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@dspace.org\n",
  "id": "GHSA-cf2j-vf36-c6w8",
  "modified": "2021-10-29T17:26:35Z",
  "published": "2021-11-01T19:18:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-cf2j-vf36-c6w8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41189"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/issues/7928"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/commit/277b499a5cd3a4f5eb2370513a1b7e4ec2a6e041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/commit/c3bea16ab911606e15ae96c97a1575e1ffb14f8a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DSpace/DSpace"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Communities and collections administrators can escalate their privilege up to system administrator"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.