CVE-2020-6165
Description
SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., where viewing records exposed through admin/graphql requires administrator permissions). However, if custom GraphQL endpoints have been configured for a specific implementation (usually under /graphql), this vulnerability could also be exploited through unauthenticated requests. This vulnerability only applies to reading records; it does not allow unauthorised changing of records.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/recipe-cmsPackagist | >= 4.5.0, < 4.5.3 | 4.5.3 |
silverstripe/graphqlPackagist | >= 3.2.0, < 3.2.4 | 3.2.4 |
Affected products
4- SilverStripe/recipe-cmsdescription
- osv-coords3 versions
>= 3.2.0, < 3.2.4+ 2 more
- (no CPE)range: >= 3.2.0, < 3.2.4
- (no CPE)range: >= 3.2.0, < 3.2.4
- (no CPE)range: >= 4.5.0, < 4.5.3
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-589q-75r3-mfq4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-6165ghsaADVISORY
- docs.silverstripe.org/en/4/changelogs/4.5.3/ghsaWEB
- docs.silverstripe.org/en/4/changelogs/4.6.0/ghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-6165.yamlghsaWEB
- www.silverstripe.org/download/security-releases/CVE-2020-6165ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.