CVE-2024-1314

Description

### Impact The attachment file of an existing record can be replaced if the user has `"read"` permission on one of the parent (collection or bucket). And if the `"read"` permission is given to `"system.Everyone"` on one of the parent, then the attachment can be replaced on a record using an anonymous request. Note that if the parent has no explicit read permission, then the records attachments are safe. ### Patches - Patch released in kinto-attachment 6.4.0 - https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1 ### Workarounds None if the read permission has to remain granted. Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended. ### References - https://bugzilla.mozilla.org/show_bug.cgi?id=1879034

How to fix CVE-2024-1314

To remediate CVE-2024-1314, upgrade the affected package to a fixed version below.

• —upgrade to 6.4.0 or later

Is CVE-2024-1314 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2024-1314.

Affected packages (1)

• from 0, < 6.4.0

CVSS scores

References (4)

• PATCHgithub.com/Kinto/kinto-attachment
• WEBbugzilla.mozilla.org/show_bug.cgi?id=1879034
• WEBgithub.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1
• WEBgithub.com/Kinto/kinto-attachment/security/advisories/GHSA-hvp4-vrv2-8wrq