Moderate severityNVD Advisory· Published May 16, 2022· Updated Aug 3, 2024

Leaking password protected articles content due to improper access control in publify/publify

CVE-2022-1553

Description

Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integrity of users.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
publify_coreRubyGems	< 9.2.8	9.2.8

Affected products

Publify/Publify/publifyv5
Range: unspecified

Patches

1a78f16f4608

Do not create article meta description for password-protected articles

https://github.com/publify/publifyMatijs van ZuijlenMay 14, 2022via ghsa

commit

3 files changed · +33 −3

publify_core/app/controllers/articles_controller.rb+4 −1 modified

@@ -166,7 +166,10 @@ def show_article
       format.html do
         @comment = Comment.new
         @page_title = this_blog.article_title_template.to_title(@article, this_blog, params)
-        @description = this_blog.article_desc_template.to_title(@article, this_blog, params)
+        if @article.password.blank?
+          @description = this_blog.article_desc_template.
+            to_title(@article, this_blog, params)
+        end
 
         @keywords = @article.tags.map(&:name).join(", ")
         render "articles/#{@article.post_type}"

publify_core/spec/controllers/articles_controller_spec.rb+19 −0 modified

@@ -483,6 +483,25 @@
           to raise_error ActiveRecord::RecordNotFound
       end
     end
+
+    context "when the article is password protected" do
+      render_views
+
+      let!(:blog) { create(:blog, permalink_format: "/%title%.html") }
+      let!(:article) do
+        create(:article, title: "Secretive", body: "protected foobar", password: "password")
+      end
+
+      it "shows a password form for the article" do
+        get :redirect, params: { from: "secretive.html" }
+        expect(response.body).to have_selector('input[id="article_password"]', count: 1)
+      end
+
+      it "does not include the article body anywhere" do
+        get :redirect, params: { from: "secretive.html" }
+        expect(response.body).not_to include article.body
+      end
+    end
   end
 
   describe "#check_password" do

spec/controllers/articles_controller_spec.rb+10 −2 modified

@@ -99,12 +99,20 @@
         end
 
         context "when the article is password protected" do
-          let(:article) { create(:article, password: "password") }
+          let(:article) do
+            create(:article, title: "Secretive", body: "protected foobar",
+                             password: "password")
+          end
 
-          it "article alone should be password protected" do
+          it "shows a password form for the article" do
             get :redirect, params: { from: from_param }
             expect(response.body).to have_selector('input[id="article_password"]', count: 1)
           end
+
+          it "does not include the article body anywhere" do
+            get :redirect, params: { from: from_param }
+            expect(response.body).not_to include article.body
+          end
         end
       end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5jm7-g527-m694ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-1553ghsaADVISORY
github.com/publify/publify/commit/1a78f16f460847274265a12a9555b3524892d7dbghsax_refsource_MISCWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-1553.ymlghsaWEB
huntr.dev/bounties/b398e4c9-6cdf-4973-ad86-da796cde221fghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000