invenio-rdm-records@0.20.2 vulnerabilities

InvenioRDM module for the communities feature.

  • latest version

    17.0.0.dev1

  • latest non vulnerable version

  • first published

    5 years ago

  • latest version published

    9 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the invenio-rdm-records package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Access Restriction Bypass

    invenio-rdm-records is a DataCite-based data model for Invenio.

    Affected versions of this package are vulnerable to Access Restriction Bypass because permissions are not checked during record publishing. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates. An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public.

    Details

    The service's publish() method contains the following permission check:

    def publish(..):
        self.require_permission(identity, "publish")
    

    However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.

    def publish(..):
        self.require_permission(identity, "publish", record=record)
    

    The bug is activated in Invenio-RDM-Records which has a need generator called RecordOwners(), which when no record is passed in defaults to allow any authenticated user:

    class RecordOwners(Generator):
        def needs(self, record=None, **kwargs):
            if record is None:
                return [authenticated_user]
        # ...
    

    How to fix Access Restriction Bypass?

    Upgrade invenio-rdm-records to version 0.33.10, 0.32.6 or higher.

    [0.33.0,0.33.10)[,0.32.6)