CVE-2024-49756

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-49756

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49756.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-49756

Aliases

GHSA-hf59-7rwq-785m

Published

2024-10-23T17:15:19Z

Modified

2024-10-25T13:49:24.667344Z

Summary

[none]

Details

AshPostgres is the PostgreSQL data layer for Ash Framework. Starting in version 2.0.0 and prior to version 2.4.10, in certain very specific situations, it was possible for the policies of an update action to be skipped. This occurred only on "empty" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger.

To be vulnerable, an affected user must have an update action that is on a resource with no attributes containing an "update default" (updated_at timestamp, for example); can be performed atomically; does not have require_atomic? false; has at least one authorizer (typically Ash.Policy.Authorizer); and has at least one change (on the resource's changes block or in the action itself). This is where the side-effects would be performed when they should not have been.

This problem has been patched in 2.4.10 of ash_postgres. Several workarounds are available. Potentially affected users may determine that none of their actions are vulnerable using a script the maintainers provide in the GitHub Security Advisory, add require_atomic? false to any potentially affected update action, replace any usage of Ash.update with Ash.bulk_update for an affected action, and/or add an update timestamp to their action.

References

Affected packages

Git / github.com/ash-project/ash_postgres

Affected ranges

Type: GIT
Repo: https://github.com/ash-project/ash_postgres
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1228fcd851f29a68609e236f7d6a2622a4b5c4ba

Affected versions

v0.*

v0.1.2

v0.1.3

v0.1.4

v0.10.0

v0.11.0

v0.11.2

v0.12.0

v0.12.1

v0.13.0

v0.14.0

v0.16.0

v0.16.1

v0.18.0

v0.19.0

v0.2.0

v0.2.1

v0.20.0

v0.20.1

v0.21.0

v0.22.0

v0.22.1

v0.23.0

v0.23.1

v0.23.2

v0.24.0

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.25.4

v0.25.5

v0.26.0

v0.26.1

v0.26.2

v0.27.0

v0.28.0

v0.28.1

v0.29.1

v0.29.2

v0.29.3

v0.29.4

v0.29.5

v0.29.6

v0.3.0

v0.30.0

v0.30.1

v0.31.0

v0.31.1

v0.32.0

v0.32.1

v0.32.2

v0.33.0

v0.33.1

v0.34.0

v0.34.1

v0.34.2

v0.34.3

v0.34.4

v0.34.5

v0.34.6

v0.34.7

v0.35.0

v0.35.1

v0.35.4

v0.35.5

v0.36.0

v0.36.1

v0.36.2

v0.36.3

v0.36.4

v0.36.5

v0.37.0

v0.37.1

v0.37.2

v0.37.3

v0.37.4

v0.37.6

v0.37.7

v0.37.8

v0.38.0

v0.38.1

v0.38.10

v0.38.11

v0.38.2

v0.38.3

v0.38.4

v0.38.5

v0.38.6

v0.38.7

v0.38.8

v0.38.9

v0.39.0-rc0

v0.4.0

v0.40.0-rc1

v0.40.0-rc2

v0.40.0-rc3

v0.40.0-rc4

v0.40.0-rc5

v0.40.1

v0.40.10

v0.40.11

v0.40.2

v0.40.3

v0.40.4

v0.40.5

v0.40.6

v0.40.7

v0.40.8

v0.40.9

v0.41.0-rc.1

v0.41.0-rc.2

v0.41.0-rc.3

v0.41.0-rc.4

v0.41.0-rc.5

v0.41.0-rc.6

v0.41.0-rc.7

v0.41.0-rc.8

v0.41.0-rc.9

v0.41.0-rc0

v0.41.1

v0.41.2

v0.41.3

v0.41.4

v0.41.5

v0.41.6

v0.41.7

v0.42.0-rc.0

v0.42.0-rc.1

v0.42.0-rc.2

v0.42.0-rc.3

v0.42.0-rc.4

v0.42.0-rc.5

v0.42.0-rc.6

v0.42.0-rc.7

v0.43.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.0.0-rc.0

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.0-rc.3

v1.0.0-rc.4

v1.0.0-rc.5

v1.0.0-rc.6

v1.0.0-rc.7

v1.0.0-rc.8

v1.0.0-rc.9

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.2.0-rc.0

v1.2.0-rc.1

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.3.0

v1.3.0-rc.0

v1.3.0-rc.1

v1.3.0-rc.2

v1.3.0-rc.3

v1.3.0-rc.4

v1.3.1

v1.3.10

v1.3.11

v1.3.12

v1.3.13

v1.3.14

v1.3.15

v1.3.16

v1.3.17

v1.3.18

v1.3.19

v1.3.2

v1.3.20

v1.3.21

v1.3.22

v1.3.23

v1.3.24

v1.3.25

v1.3.26

v1.3.27

v1.3.28

v1.3.29

v1.3.3

v1.3.30

v1.3.31

v1.3.32

v1.3.33

v1.3.34

v1.3.35

v1.3.36

v1.3.37

v1.3.38

v1.3.39

v1.3.4

v1.3.40

v1.3.41

v1.3.42

v1.3.43

v1.3.44

v1.3.45

v1.3.46

v1.3.47

v1.3.48

v1.3.49

v1.3.5

v1.3.50

v1.3.51

v1.3.53

v1.3.54

v1.3.55

v1.3.56

v1.3.57

v1.3.58

v1.3.59

v1.3.6

v1.3.60

v1.3.61

v1.3.62

v1.3.63

v1.3.64

v1.3.65

v1.3.66

v1.3.67

v1.3.68

v1.3.8

v1.3.9

v1.4.0

v1.5.0

v1.5.1

v1.5.10

v1.5.11

v1.5.12

v1.5.13

v1.5.14

v1.5.15

v1.5.16

v1.5.17

v1.5.19

v1.5.2

v1.5.20

v1.5.21

v1.5.22

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.8

v1.5.9

v2.*

v2.0.0-rc.0

v2.0.0-rc.1

v2.0.0-rc.10

v2.0.0-rc.11

v2.0.0-rc.12

v2.0.0-rc.13

v2.0.0-rc.14

v2.0.0-rc.15

v2.0.0-rc.2

v2.0.0-rc.3

v2.0.0-rc.4

v2.0.0-rc.5

v2.0.0-rc.6

v2.0.0-rc.7

v2.0.0-rc.8

v2.0.0-rc.9

v2.0.10

v2.0.11

v2.0.12

v2.0.2

v2.0.3

v2.0.4

v2.0.7

v2.0.8

v2.0.9

v2.1.1

v2.1.10

v2.1.11

v2.1.12

v2.1.13

v2.1.14

v2.1.15

v2.1.17

v2.1.18

v2.1.19

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.3.0

v2.3.1

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9