GHSA-jr83-m233-gg6p

Suggest an improvement
Source
https://github.com/advisories/GHSA-jr83-m233-gg6p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-jr83-m233-gg6p/GHSA-jr83-m233-gg6p.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-jr83-m233-gg6p
Aliases
Published
2024-03-04T20:45:08Z
Modified
2024-03-06T21:46:42.588172Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Sulu grants access to pages regardless of role permissions
Details

Impact

What kind of vulnerability is it? Who is impacted?

Access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with Version 2.4.17 and 2.5.13.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Remove following lines from vendor/symfony/security-http/HttpUtils.php:

-            // Shortcut if request has already been matched before
-            if ($request->attributes->has('_route')) {
-                return $path === $request->attributes->get('_route');
 -           }

Or do not install symfony/security-http versions greater equal than v5.4.30 or v6.3.6.

References

Are there any links users can visit to find out more?

Currently no references.

Database specific
{
    "nvd_published_at": "2024-03-06T20:15:47Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-04T20:45:08Z"
}
References

Affected packages

Packagist / sulu/sulu

Package

Name
sulu/sulu
Purl
pkg:composer/sulu/sulu

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.4.17

Affected versions

2.*

2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.3.0-RC1
2.3.0-RC2
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.3.11
2.3.12
2.3.13
2.4.0-RC1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.4.11
2.4.12
2.4.13
2.4.14
2.4.15
2.4.16

Packagist / sulu/sulu

Package

Name
sulu/sulu
Purl
pkg:composer/sulu/sulu

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.5.0-alpha1
Fixed
2.5.13

Affected versions

2.*

2.5.0-alpha1
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.5.9
2.5.10
2.5.11
2.5.12