17.0.0.dev1
5 years ago
8 days ago
Known vulnerabilities in the invenio-rdm-records package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
invenio-rdm-records is a DataCite-based data model for Invenio. Affected versions of this package are vulnerable to Access Restriction Bypass because permissions are not checked during record publishing. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates. An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public. DetailsThe service's
However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.
The bug is activated in Invenio-RDM-Records which has a need generator called
How to fix Access Restriction Bypass? Upgrade | [0.33.0,0.33.10)[,0.32.6) |