Access Restriction Bypass Affecting invenio-rdm-records package, versions [0.33.0, 0.33.10)[,0.32.6)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Access Restriction Bypass vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-INVENIORDMRECORDS-2310014
  • published7 Dec 2021
  • disclosed6 Dec 2021
  • creditLars Holm Nielsen

Introduced: 6 Dec 2021

CVE-2021-43781  (opens in a new tab)
CWE-862  (opens in a new tab)

How to fix?

Upgrade invenio-rdm-records to version 0.33.10, 0.32.6 or higher.

Overview

invenio-rdm-records is a DataCite-based data model for Invenio.

Affected versions of this package are vulnerable to Access Restriction Bypass because permissions are not checked during record publishing. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates. An attacker is not able to modify the data in the record, and thus e.g. cannot change a record from restricted to public.

Details

The service's publish() method contains the following permission check:

def publish(..):
    self.require_permission(identity, "publish")

However, the record should have been passed into the permission check so that the need generators have access to e.g. the record owner.

def publish(..):
    self.require_permission(identity, "publish", record=record)

The bug is activated in Invenio-RDM-Records which has a need generator called RecordOwners(), which when no record is passed in defaults to allow any authenticated user:

class RecordOwners(Generator):
    def needs(self, record=None, **kwargs):
        if record is None:
            return [authenticated_user]
    # ...

CVSS Scores

version 3.1