The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Access Restriction Bypass vulnerabilities in an interactive lesson.
Start learningUpgrade invenio-rdm-records
to version 0.33.10, 0.32.6 or higher.
invenio-rdm-records is a DataCite-based data model for Invenio.
Affected versions of this package are vulnerable to Access Restriction Bypass because permissions are not checked during record publishing. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates. An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public.
The service's publish()
method contains the following permission check:
def publish(..):
self.require_permission(identity, "publish")
However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.
def publish(..):
self.require_permission(identity, "publish", record=record)
The bug is activated in Invenio-RDM-Records which has a need generator called RecordOwners()
, which when no record is passed in defaults to allow any authenticated user:
class RecordOwners(Generator):
def needs(self, record=None, **kwargs):
if record is None:
return [authenticated_user]
# ...