Skip to content

Field-level access-control bypass for multiselect field

Critical
dcousens published GHSA-6mhr-52mv-6v6f Oct 18, 2022

Package

npm @keystone-6/core (npm)

Affected versions

2.2.0 || 2.3.0

Patched versions

2.3.1

Description

Impact

@keystone-6/[email protected] || 2.3.0 users who are using the multiselect field, and provided field-level access control - are vulnerable to their field-level access control not being used.

List-level access control is NOT affected.

Field-level access control for fields other than multiselect are NOT affected.

Example, you are vulnerable if you are using field-level access control on a multiselect like the following:

const yourList = list({
  access: {
    // this is list-level access control, this is NOT impacted
  },
  fields: {
    yourFieldName: multiselect({
      // this is field-level access control, for multiselect fields
      //   this is vulnerable
      access: {
        create: ({ session }) => session?.data.isAdmin,
        update: ({ session }) => session?.data.isAdmin,
      },
      options: [
        { value: 'apples', label: 'Apples' },
        { value: 'oranges', label: 'Oranges' },
      ],
      // ...
    }),
    // ...
  },
  // ...
});

Mitigation

Please upgrade to @keystone-6/core >= 2.3.1, where this vulnerability has been closed.

Workarounds

If for some reason you cannot upgrade your dependencies, you should stop using the multiselect field.

Credits

Thanks to Marek R for reporting and submitting the pull request to fix this problem.

If you have any questions around this security advisory, please don't hesitate to contact us at [email protected], or open an issue on GitHub.

If you have a security flaw to report for any software in this repository, please see our SECURITY policy.

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2022-39322

Weaknesses

No CWEs

Credits