GHSA-R578-PJ6F-R4FF

Vulnerability from github – Published: 2021-06-21 17:07 – Updated: 2021-06-16 21:25
VLAI?
Summary
Auto-merging Person Records Compromised
Details

Impact

New user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events).

Patches

We have released a security patch on v2.20.0. The solution was to create a duplicate person and then patch the new person with their profile details.

Workarounds

If you do not wish to upgrade your app to the new version, you can patch your server by overriding the create data source method on the People class.

  create = async (profile) => {
    const rockUpdateFields = this.mapApollosFieldsToRock(profile);
    // auto-merge functionality is compromised
    // we are creating a new user and patching them with profile details
    const id = await this.post('/People', {
      Gender: 0, // required by Rock. Listed first so it can be overridden.
      IsSystem: false, // required by rock
    });
    await this.patch(`/People/${id}`, {
      ...rockUpdateFields,
    });
    return id;
  };

For more information

If you have any questions or comments about this advisory: * Email us at support@apollos.app

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@apollosproject/data-connector-rock"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-303"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-16T18:55:04Z",
    "nvd_published_at": "2021-06-16T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nNew user registrations are able to access anyone\u0027s account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events).\n\n### Patches\n\nWe have released a security patch on v2.20.0. The solution was to create a duplicate person and then patch the new person with their profile details.\n\n### Workarounds\n\nIf you do not wish to upgrade your app to the new version, you can patch your server by overriding the `create` data source method on the `People` class.\n\n```js\n  create = async (profile) =\u003e {\n    const rockUpdateFields = this.mapApollosFieldsToRock(profile);\n    // auto-merge functionality is compromised\n    // we are creating a new user and patching them with profile details\n    const id = await this.post(\u0027/People\u0027, {\n      Gender: 0, // required by Rock. Listed first so it can be overridden.\n      IsSystem: false, // required by rock\n    });\n    await this.patch(`/People/${id}`, {\n      ...rockUpdateFields,\n    });\n    return id;\n  };\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [support@apollos.app](mailto:support@apollos.app)\n",
  "id": "GHSA-r578-pj6f-r4ff",
  "modified": "2021-06-16T21:25:21Z",
  "published": "2021-06-21T17:07:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ApollosProject/apollos-apps/security/advisories/GHSA-r578-pj6f-r4ff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32691"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ApollosProject/apollos-apps/commit/cb5f8f1c0b24f1b215b2bb5eb6f9a8e16d728ce2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ApollosProject/apollos-apps/releases/tag/v2.20.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Auto-merging Person Records Compromised"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.