CVE-2024-1314

Advisory

kinto-attachment versions above 6.4.0 are susceptible to a vulnerability where an attachment file on an existing record can be replaced by users who possess "read" permission on any of the parent entities, such as a collection or bucket. Should this "read" permission be granted to "system.Everyone" on one of the parents, it enables the replacement of an attachment on a record through an anonymous request. Importantly, should the parent entities not have explicit "read" permission assigned, the attachments on records remain secure against such unauthorized replacements.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1
• https://bugzilla.mozilla.org/show_bug.cgi?id=1879034
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1314