首頁 探索 說明
登入
CityApper
/
wagtail
镜像来自 https://github.com/wagtail/wagtail
2
0
複刻 0
Files 問題管理 0 Wiki
瀏覽代碼

Release note for CVE-2024-32882 in 6.0.3

Matt Westcott 10 月之前
父節點
ee57f6d4dc
當前提交
9d24ac4e39
共有 3 個文件被更改,包括 11 次插入0 次删除
分割檢視 顯示文件統計
  1. 1 0
      CHANGELOG.txt
  2. 2 0
      docs/extending/generic_views.md
  3. 8 0
      docs/releases/6.0.3.md

+ 1 - 0
CHANGELOG.txt
查看文件 

@@ -120,6 +120,7 @@ Changelog
 
 6.0.3 (xx.xx.xxxx) - IN DEVELOPMENT
 
 ~~~~~~~~~~~~~~~~~~
 
 
+ * Fix: CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet` (Ben Morse, Joshua Munn, Jake Howard, Sage Abdullah)
 
  * Fix: Respect `WAGTAIL_ALLOW_UNICODE_SLUGS` setting when auto-generating slugs (LB (Ben) Johnston)
 
  * Fix: Use correct URL when redirecting back to page search results after an AJAX search (Sage Abdullah)
 
  * Fix: Reinstate missing static files in style guide (Sage Abdullah)

+ 2 - 0
docs/extending/generic_views.md
查看文件 

@@ -8,6 +8,8 @@
 
 
 Wagtail provides several generic views for handling common tasks such as creating / editing model instances and chooser modals. For convenience, these views are bundled in [viewsets](viewsets_reference).
 
 
+(modelviewset)=
 
+
 
 ## ModelViewSet
 
 
 The {class}`~wagtail.admin.viewsets.model.ModelViewSet` class provides the views for listing, creating, editing, and deleting model instances. For example, if we have the following model:

+ 8 - 0
docs/releases/6.0.3.md
查看文件 

@@ -11,6 +11,14 @@ depth: 1
 
 
 ## What's new
 
 
+### CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet`
 
+
 
+This release addresses a permission vulnerability in the Wagtail admin interface. If a model has been made available for editing through the [`wagtail.contrib.settings`](/reference/contrib/settings) module or [ModelViewSet](modelviewset), and the permission argument on FieldPanel has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value.
 
+
 
+The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected.
 
+
 
+Many thanks to Ben Morse and Joshua Munn for reporting this issue, and Jake Howard and Sage Abdullah for the fix. For further details, please see [the CVE-2024-32882 security advisory](https://github.com/wagtail/wagtail/security/advisories/GHSA-w2v8-php4-p8hc).
 
+
 
 ### Bug fixes
 
 
  * Respect `WAGTAIL_ALLOW_UNICODE_SLUGS` setting when auto-generating slugs (LB (Ben) Johnston)