Incorrect Default Permissions
CVE-2024-1314
Summary
The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent (collection or bucket). This issue affects the package kinto-attachment versions prior to 6.4.0.
- LOW
- NETWORK
- HIGH
- CHANGED
- NONE
- NONE
- NONE
- NONE
CWE-276 - Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
References
Advisory Timeline
- Published