GHSA-xm6j-x342-gwq9

Suggest an improvement
Source
https://github.com/advisories/GHSA-xm6j-x342-gwq9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-xm6j-x342-gwq9/GHSA-xm6j-x342-gwq9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xm6j-x342-gwq9
Aliases
Published
2019-11-12T23:01:05Z
Modified
2024-02-17T05:34:23.301211Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
SilverStripe Versioned Files module Unpublished files are exposed publicly
Details

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)

Database specific
{
    "nvd_published_at": "2019-09-26T16:15:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2019-11-12T22:54:36Z"
}
References

Affected packages

Packagist / symbiote/silverstripe-versionedfiles

Package

Name
symbiote/silverstripe-versionedfiles
Purl
pkg:composer/symbiote/silverstripe-versionedfiles

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.0.3

Affected versions

1.*

1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13

2.*

2.0.0
2.0.1
2.0.2
2.0.3

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.3.5

Affected versions

4.*

4.0.0
4.0.1-rc1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.1.0-rc1
4.1.0-rc2
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.2.0-beta1
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.3.0-rc1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4

Packagist / silverstripe/framework

Package

Name
silverstripe/framework
Purl
pkg:composer/silverstripe/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
4.4.4

Affected versions

4.*

4.4.0
4.4.1
4.4.2
4.4.3