Skip to main content

Incorrect Default Permissions

CVE-2024-1314

Severity High
Score 8.6/10

Summary

The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent (collection or bucket). This issue affects the package kinto-attachment versions prior to 6.4.0.

  • LOW
  • NETWORK
  • HIGH
  • CHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-276 - Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Advisory Timeline

  • Published