Moderate severityNVD Advisory· Published May 16, 2022· Updated Aug 2, 2024

Improper Access Control in publify/publify

CVE-2022-0574

Description

Improper Access Control in GitHub repository publify/publify prior to 9.2.8.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
publify_coreRubyGems	< 9.2.8	9.2.8

Affected products

Publify/Publify/publifyv5
Range: unspecified

Patches

0e6c66ac2002

Do not allow comments on Article if not published

https://github.com/publify/publifyMatijs van ZuijlenFeb 13, 2022via ghsa

commit

3 files changed · +29 −2

publify_core/app/models/article.rb+1 −1 modified

@@ -204,7 +204,7 @@ def notify_user_via_email(user)
   end
 
   def comments_closed?
-    !(allow_comments? && in_feedback_window?)
+    !(allow_comments? && published? && in_feedback_window?)
   end
 
   def html_urls

publify_core/spec/controllers/comments_controller_spec.rb+15 −0 modified

@@ -58,6 +58,21 @@
         expect(response.body).to have_text "content"
       end
     end
+
+    it "does not allow commenting if article does not allow comments" do
+      no_comments = create(:article, allow_comments: false)
+      expect do
+        post :create, xhr: true, params: { comment: comment_params,
+                                           article_id: no_comments.id }
+      end.not_to change(no_comments.comments, :count)
+    end
+
+    it "does not allow commenting if article is draft" do
+      draft = create(:article, state: "draft")
+      expect do
+        post :create, xhr: true, params: { comment: comment_params, article_id: draft.id }
+      end.not_to change(draft.comments, :count)
+    end
   end
 
   describe "#preview" do

publify_core/spec/models/article_spec.rb+13 −1 modified

@@ -856,8 +856,9 @@
     it "returns only published articles" do
       article = create(:article)
       create(:comment, article: article)
-      unpublished_article = create(:article, state: "draft")
+      unpublished_article = create(:article)
       create(:comment, article: unpublished_article)
+      unpublished_article.update!(state: "draft")
       expect(described_class.published).to eq([article])
       expect(described_class.bestof).to eq([article])
     end
@@ -955,6 +956,17 @@
     context "when auto_close setting is zero" do
       let(:auto_close_value) { 0 }
 
+      it "does not allow comments for a draft article" do
+        art = build :article, state: "draft", blog: blog
+        assert art.comments_closed?
+      end
+
+      it "does not allow comments for an article that will be published in the future" do
+        art = build :article, state: "publication_pending",
+                              published_at: 1.day.from_now, blog: blog
+        assert art.comments_closed?
+      end
+
       it "allows comments for a newly published article" do
         art = build :article, published_at: 1.second.ago, blog: blog
         assert !art.comments_closed?

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-79m3-q3wh-c3qmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-0574ghsaADVISORY
github.com/publify/publify/commit/0e6c66ac2002136517662399bca9d838c80d9739ghsax_refsource_MISCWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-0574.ymlghsaWEB
huntr.dev/bounties/6f322c84-9e20-4df6-97e8-92bc271ede3fghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000