Vulnerability	Vulnerable Version
M Access Restriction Bypass invenio-rdm-records is a DataCite-based data model for Invenio. Affected versions of this package are vulnerable to Access Restriction Bypass because permissions are not checked during record publishing. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates. An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public. Details The service's `publish()` method contains the following permission check: `def publish(..): self.require_permission(identity, "publish")` However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner. `def publish(..): self.require_permission(identity, "publish", record=record)` The bug is activated in Invenio-RDM-Records which has a need generator called `RecordOwners()`, which when no record is passed in defaults to allow any authenticated user: `class RecordOwners(Generator): def needs(self, record=None, **kwargs): if record is None: return [authenticated_user] # ...` How to fix Access Restriction Bypass? Upgrade `invenio-rdm-records` to version 0.33.10, 0.32.6 or higher.	[0.33.0,0.33.10)[,0.32.6)

Access Restriction Bypass

invenio-rdm-records is a DataCite-based data model for Invenio.

Affected versions of this package are vulnerable to Access Restriction Bypass because permissions are not checked during record publishing. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates. An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public.

Details

The service's publish() method contains the following permission check:

def publish(..):
    self.require_permission(identity, "publish")

However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.

def publish(..):
    self.require_permission(identity, "publish", record=record)

The bug is activated in Invenio-RDM-Records which has a need generator called RecordOwners(), which when no record is passed in defaults to allow any authenticated user:

class RecordOwners(Generator):
    def needs(self, record=None, **kwargs):
        if record is None:
            return [authenticated_user]
    # ...

How to fix Access Restriction Bypass?

Upgrade invenio-rdm-records to version 0.33.10, 0.32.6 or higher.

[0.33.0,0.33.10)[,0.32.6)

Go back to all versions of this package