GHSA-965r-9cg9-g42p

Suggest an improvement
Source
https://github.com/advisories/GHSA-965r-9cg9-g42p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-965r-9cg9-g42p/GHSA-965r-9cg9-g42p.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-965r-9cg9-g42p
Aliases
  • CVE-2025-48881
Published
2025-05-28T14:38:54Z
Modified
2025-05-30T15:32:51.697516Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users
Details

Impact

All objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users.

If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations.

Attack requirements

The following conditions have to be met in order to perform this attack: - A user must be logged in - No relevant application roles are required - At least one object-type must be configured via object-management - The scope of the attack is limited to objects that are configured via object-management. - The value of showInDataMenu is irrelevant for this attack

Patches

No patch is available yet

Workarounds

It is possible to override the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation, this could result in loss of functionality.

Database specific 
{
    "nvd_published_at": "2025-05-30T06:15:28Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T14:38:54Z"
}
References

Affected packages

Maven / com.ritense.valtimo:objecten-api

Package

Name
com.ritense.valtimo:objecten-api
View open source insights on deps.dev
Purl
pkg:maven/com.ritense.valtimo/objecten-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0.RELEASE
Last affected
11.3.3.RELEASE

Affected versions

11.*

11.0.0.RELEASE
11.1.0.RELEASE
11.1.1.RELEASE
11.1.2.RELEASE
11.1.4.RELEASE
11.1.5.RELEASE
11.1.6.RELEASE
11.2.0.RELEASE
11.2.1.RELEASE
11.2.2.RELEASE
11.3.0.RELEASE
11.3.1.RELEASE
11.3.2.RELEASE
11.3.3.RELEASE

Maven / com.ritense.valtimo:object-management

Package

Name
com.ritense.valtimo:object-management
View open source insights on deps.dev
Purl
pkg:maven/com.ritense.valtimo/object-management

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0.RELEASE
Last affected
11.3.3.RELEASE

Affected versions

11.*

11.0.0.RELEASE
11.1.0.RELEASE
11.1.1.RELEASE
11.1.2.RELEASE
11.1.4.RELEASE
11.1.5.RELEASE
11.1.6.RELEASE
11.2.0.RELEASE
11.2.1.RELEASE
11.2.2.RELEASE
11.3.0.RELEASE
11.3.1.RELEASE
11.3.2.RELEASE
11.3.3.RELEASE

Maven / com.ritense.valtimo:object-management

Package

Name
com.ritense.valtimo:object-management
View open source insights on deps.dev
Purl
pkg:maven/com.ritense.valtimo/object-management

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0.RELEASE
Last affected
12.12.0.RELEASE

Affected versions

12.*

12.0.0.RELEASE
12.0.1.RELEASE
12.1.0.RELEASE
12.1.1.RELEASE
12.1.2.RELEASE
12.1.3.RELEASE
12.2.0.RELEASE
12.2.1.RELEASE
12.3.0.RELEASE
12.3.1.RELEASE
12.4.0.RELEASE
12.4.1.RELEASE
12.5.0.RELEASE
12.5.1.RELEASE
12.6.0.RELEASE
12.6.1.RELEASE
12.6.1.1.RC
12.7.0.RELEASE
12.7.1.RELEASE
12.7.2.RELEASE
12.7.3.RELEASE
12.8.0.RELEASE
12.9.0.RELEASE
12.10.0.RELEASE
12.10.1.RELEASE
12.10.2.RELEASE
12.11.0.RELEASE
12.12.0.RELEASE

Maven / com.ritense.valtimo:objecten-api

Package

Name
com.ritense.valtimo:objecten-api
View open source insights on deps.dev
Purl
pkg:maven/com.ritense.valtimo/objecten-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0.RELEASE
Last affected
12.12.0.RELEASE

Affected versions

12.*

12.0.0.RELEASE
12.0.1.RELEASE
12.1.0.RELEASE
12.1.1.RELEASE
12.1.2.RELEASE
12.1.3.RELEASE
12.2.0.RELEASE
12.2.1.RELEASE
12.3.0.RELEASE
12.3.1.RELEASE
12.4.0.RELEASE
12.4.1.RELEASE
12.5.0.RELEASE
12.5.1.RELEASE
12.6.0.RELEASE
12.6.1.RELEASE
12.6.1.1.RC
12.7.0.RELEASE
12.7.1.RELEASE
12.7.2.RELEASE
12.7.3.RELEASE
12.8.0.RELEASE
12.9.0.RELEASE
12.10.0.RELEASE
12.10.1.RELEASE
12.10.2.RELEASE
12.11.0.RELEASE
12.12.0.RELEASE