Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
5 vulnerabilities by inveniosoftware
CVE-2021-43781 (GCVE-0-2021-43781)
Vulnerability from cvelistv5 – Published: 2021-12-06 17:45 – Updated: 2024-08-04 04:03
VLAI
Title
Permissions not properly checked in Invenio-Drafts-Resources
Summary
Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively.
Severity
6.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/inveniosoftware/invenio-drafts… | x_refsource_CONFIRM |
| https://github.com/inveniosoftware/invenio-drafts… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| inveniosoftware | invenio-drafts-resources |
Affected:
< 0.13.7
Affected: >= 0.14.0, < 0.14.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inveniosoftware/invenio-drafts-resources/security/advisories/GHSA-xr38-w74q-r8jv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inveniosoftware/invenio-drafts-resources/commit/039b0cff1ad4b952000f4d8c3a93f347108b6626"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "invenio-drafts-resources",
"vendor": "inveniosoftware",
"versions": [
{
"status": "affected",
"version": "\u003c 0.13.7"
},
{
"status": "affected",
"version": "\u003e= 0.14.0, \u003c 0.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-06T17:45:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inveniosoftware/invenio-drafts-resources/security/advisories/GHSA-xr38-w74q-r8jv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inveniosoftware/invenio-drafts-resources/commit/039b0cff1ad4b952000f4d8c3a93f347108b6626"
}
],
"source": {
"advisory": "GHSA-xr38-w74q-r8jv",
"discovery": "UNKNOWN"
},
"title": "Permissions not properly checked in Invenio-Drafts-Resources",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43781",
"STATE": "PUBLIC",
"TITLE": "Permissions not properly checked in Invenio-Drafts-Resources"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "invenio-drafts-resources",
"version": {
"version_data": [
{
"version_value": "\u003c 0.13.7"
},
{
"version_value": "\u003e= 0.14.0, \u003c 0.14.6"
}
]
}
}
]
},
"vendor_name": "inveniosoftware"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inveniosoftware/invenio-drafts-resources/security/advisories/GHSA-xr38-w74q-r8jv",
"refsource": "CONFIRM",
"url": "https://github.com/inveniosoftware/invenio-drafts-resources/security/advisories/GHSA-xr38-w74q-r8jv"
},
{
"name": "https://github.com/inveniosoftware/invenio-drafts-resources/commit/039b0cff1ad4b952000f4d8c3a93f347108b6626",
"refsource": "MISC",
"url": "https://github.com/inveniosoftware/invenio-drafts-resources/commit/039b0cff1ad4b952000f4d8c3a93f347108b6626"
}
]
},
"source": {
"advisory": "GHSA-xr38-w74q-r8jv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43781",
"datePublished": "2021-12-06T17:45:10.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:03:08.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1020006 (GCVE-0-2019-1020006)
Vulnerability from cvelistv5 – Published: 2019-07-29 14:10 – Updated: 2024-08-05 03:14
VLAI
Summary
invenio-app before 1.1.1 allows host header injection.
Severity
No CVSS data available.
CWE
- host header injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/inveniosoftware/invenio-app/se… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Invenio | invenio-app |
Affected:
< 1.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:14:15.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/inveniosoftware/invenio-app/security/advisories/GHSA-94mf-xfg5-r247"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "invenio-app",
"vendor": "Invenio",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "invenio-app before 1.1.1 allows host header injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "host header injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-29T14:10:07.000Z",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/inveniosoftware/invenio-app/security/advisories/GHSA-94mf-xfg5-r247"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1020006",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "invenio-app",
"version": {
"version_data": [
{
"version_value": "\u003c 1.1.1"
}
]
}
}
]
},
"vendor_name": "Invenio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "invenio-app before 1.1.1 allows host header injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "host header injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inveniosoftware/invenio-app/security/advisories/GHSA-94mf-xfg5-r247",
"refsource": "CONFIRM",
"url": "https://github.com/inveniosoftware/invenio-app/security/advisories/GHSA-94mf-xfg5-r247"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1020006",
"datePublished": "2019-07-29T14:10:07.000Z",
"dateReserved": "2019-07-26T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:14:15.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1020005 (GCVE-0-2019-1020005)
Vulnerability from cvelistv5 – Published: 2019-07-29 14:07 – Updated: 2024-08-05 03:14
VLAI
Summary
invenio-communities before 1.0.0a20 allows XSS.
Severity
No CVSS data available.
CWE
- XSS
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/inveniosoftware/invenio-commun… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Invenio | invenio-communities |
Affected:
< 1.0.0a20
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:14:15.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inveniosoftware/invenio-communities/security/advisories/GHSA-mfv8-q39f-mgfg"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "invenio-communities",
"vendor": "Invenio",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.0a20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "invenio-communities before 1.0.0a20 allows XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-29T14:07:05.000Z",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inveniosoftware/invenio-communities/security/advisories/GHSA-mfv8-q39f-mgfg"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1020005",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "invenio-communities",
"version": {
"version_data": [
{
"version_value": "\u003c 1.0.0a20"
}
]
}
}
]
},
"vendor_name": "Invenio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "invenio-communities before 1.0.0a20 allows XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inveniosoftware/invenio-communities/security/advisories/GHSA-mfv8-q39f-mgfg",
"refsource": "MISC",
"url": "https://github.com/inveniosoftware/invenio-communities/security/advisories/GHSA-mfv8-q39f-mgfg"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1020005",
"datePublished": "2019-07-29T14:07:05.000Z",
"dateReserved": "2019-07-26T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:14:15.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1020003 (GCVE-0-2019-1020003)
Vulnerability from cvelistv5 – Published: 2019-07-29 14:03 – Updated: 2024-08-05 03:14
VLAI
Summary
invenio-records before 1.2.2 allows XSS.
Severity
No CVSS data available.
CWE
- XSS
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/inveniosoftware/invenio-record… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Invenio | invenio-records |
Affected:
< 1.2.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:14:15.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inveniosoftware/invenio-records/security/advisories/GHSA-vxh3-mvv7-265j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "invenio-records",
"vendor": "Invenio",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "invenio-records before 1.2.2 allows XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-29T14:03:57.000Z",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inveniosoftware/invenio-records/security/advisories/GHSA-vxh3-mvv7-265j"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1020003",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "invenio-records",
"version": {
"version_data": [
{
"version_value": "\u003c 1.2.2"
}
]
}
}
]
},
"vendor_name": "Invenio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "invenio-records before 1.2.2 allows XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inveniosoftware/invenio-records/security/advisories/GHSA-vxh3-mvv7-265j",
"refsource": "MISC",
"url": "https://github.com/inveniosoftware/invenio-records/security/advisories/GHSA-vxh3-mvv7-265j"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1020003",
"datePublished": "2019-07-29T14:03:57.000Z",
"dateReserved": "2019-07-26T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:14:15.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1020019 (GCVE-0-2019-1020019)
Vulnerability from cvelistv5 – Published: 2019-07-29 13:16 – Updated: 2024-08-05 03:14
VLAI
Summary
invenio-previewer before 1.0.0a12 allows XSS.
Severity
No CVSS data available.
CWE
- XSS
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/inveniosoftware/invenio-previe… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Invenio | invenio-previewer |
Affected:
< 1.0.0a12
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:14:16.053Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/inveniosoftware/invenio-previewer/security/advisories/GHSA-j9m2-6hq2-4r3c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "invenio-previewer",
"vendor": "Invenio",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.0a12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "invenio-previewer before 1.0.0a12 allows XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-29T13:16:32.000Z",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/inveniosoftware/invenio-previewer/security/advisories/GHSA-j9m2-6hq2-4r3c"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1020019",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "invenio-previewer",
"version": {
"version_data": [
{
"version_value": "\u003c 1.0.0a12"
}
]
}
}
]
},
"vendor_name": "Invenio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "invenio-previewer before 1.0.0a12 allows XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/inveniosoftware/invenio-previewer/security/advisories/GHSA-j9m2-6hq2-4r3c",
"refsource": "MISC",
"url": "https://github.com/inveniosoftware/invenio-previewer/security/advisories/GHSA-j9m2-6hq2-4r3c"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1020019",
"datePublished": "2019-07-29T13:16:32.000Z",
"dateReserved": "2019-07-26T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:14:16.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}