CVE-2022-48367

Vulnerability

Description

An issue in eZ Publish Ibexa Kernel (and related packages) before version 7.5.28 causes object state limitations to be ineffective [1][4]. Object state limitations are a policy mechanism used in roles to restrict access to content based on specific state values. Due to a flawed earlier update, these limitations became inoperative, granting access regardless of the object state [4].

Exploitation

No authentication is required to exploit this flaw; an attacker who knows the URL of otherwise restricted content can access it directly [4]. The vulnerability affects multiple branches, including Ibexa DXP versions 4.1.*, 4.0.*, and eZ Platform kernel versions 1.3.* and 7.5.* [4].

Impact

Successful exploitation bypasses intended access control, potentially exposing sensitive content that should have been hidden based on object state values. The severity is rated High [4]. Depending on frontend configuration, simply knowing the content URL may be sufficient to gain unauthorized access [4].

Mitigation

The issue is fixed in eZ Publish Kernel version 7.5.28, as well as in Ibexa DXP v4.1.2, v4.0.5, v3.3.18, and eZ Platform v2.5.29 [4]. Administrators using object state limitations should apply the relevant update immediately [4].