GHSA-3c5g-73f7-grvm

Suggest an improvement
Source
https://github.com/advisories/GHSA-3c5g-73f7-grvm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-3c5g-73f7-grvm/GHSA-3c5g-73f7-grvm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3c5g-73f7-grvm
Published
2024-05-17T22:54:47Z
Modified
2024-12-02T05:40:40.396941Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Neos Information Disclosure Security Note
Details

Due to reports it has been validated that internal workspaces in Neos are accessible without authentication. Some users assumed this is a planned feature but it is not. A workspace preview should be an additional feature with respective security measures in place.

Note that this only allows reading of internal workspaces not writing. And for clarification, an internal workspace is a workspace that is non public and doesn't have an owner.

Given that an internal workspace exists in your installation, it is possible to view a page in context of that workspace by opening a link in this format:

https://domain/path/to/page.html@workspace-name

The issue is quite problematic when exploited but at the same time slightly less impactful than it sounds. First of all there is no default internal workspace, so the issue affects only workspaces created by users. That also means the workspace-name, which will also always include a hash is individual to a project and an exploiter must get hold of the workspace-name including the hash. This is non trivial as there is no indication of the existence of it, but obviously brute force and educated guessed can be made.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-17T22:54:47Z"
}
References

Affected packages

Packagist / neos/neos

Package

Name
neos/neos
Purl
pkg:composer/neos/neos

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
3.0.20

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19

Packagist / neos/neos

Package

Name
neos/neos
Purl
pkg:composer/neos/neos

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.1.18

Affected versions

3.*

3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17

Packagist / neos/neos

Package

Name
neos/neos
Purl
pkg:composer/neos/neos

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.0
Fixed
3.2.14

Affected versions

3.*

3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10
3.2.11
3.2.12
3.2.13

Packagist / neos/neos

Package

Name
neos/neos
Purl
pkg:composer/neos/neos

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.3.0
Fixed
3.3.23

Affected versions

3.*

3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.3.10
3.3.11
3.3.12
3.3.13
3.3.14
3.3.15
3.3.16
3.3.17
3.3.18
3.3.19
3.3.20
3.3.21
3.3.22

Packagist / neos/neos

Package

Name
neos/neos
Purl
pkg:composer/neos/neos

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.0.17

Affected versions

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.15
4.0.16

Packagist / neos/neos

Package

Name
neos/neos
Purl
pkg:composer/neos/neos

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1.0
Fixed
4.1.16

Affected versions

4.*

4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.1.10
4.1.11
4.1.12
4.1.13
4.1.14
4.1.15

Packagist / neos/neos

Package

Name
neos/neos
Purl
pkg:composer/neos/neos

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.12

Affected versions

4.*

4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10
4.2.11

Packagist / neos/neos

Package

Name
neos/neos
Purl
pkg:composer/neos/neos

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.0
Fixed
4.3.3

Affected versions

4.*

4.3.0
4.3.1
4.3.2