{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49756", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-18T13:43:23.454Z", "datePublished": "2024-10-23T17:04:50.037Z", "dateUpdated": "2024-10-24T13:59:48.830Z"}, "containers": {"cna": {"title": "AshPostgres empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability.", "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "lang": "en", "description": "CWE-552: Files or Directories Accessible to External Parties", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ash-project/ash_postgres/security/advisories/GHSA-hf59-7rwq-785m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ash-project/ash_postgres/security/advisories/GHSA-hf59-7rwq-785m"}, {"name": "https://github.com/ash-project/ash_postgres/commit/1228fcd851f29a68609e236f7d6a2622a4b5c4ba", "tags": ["x_refsource_MISC"], "url": "https://github.com/ash-project/ash_postgres/commit/1228fcd851f29a68609e236f7d6a2622a4b5c4ba"}, {"name": "https://elixirforum.com/t/empty-update-action-with-policies/66954", "tags": ["x_refsource_MISC"], "url": "https://elixirforum.com/t/empty-update-action-with-policies/66954"}, {"name": "https://gist.github.com/zachdaniel/e49166b765978c48dfaf998d06df436e", "tags": ["x_refsource_MISC"], "url": "https://gist.github.com/zachdaniel/e49166b765978c48dfaf998d06df436e"}], "affected": [{"vendor": "ash-project", "product": "ash_postgres", "versions": [{"version": ">= 2.0.0, < 2.4.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-23T17:04:50.037Z"}, "descriptions": [{"lang": "en", "value": "AshPostgres is the PostgreSQL data layer for Ash Framework. Starting in version 2.0.0 and prior to version 2.4.10, in certain very specific situations, it was possible for the policies of an update action to be skipped. This occurred only on \"empty\" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger.\n\nTo be vulnerable, an affected user must have an update action that is on a resource with no attributes containing an \"update default\" (updated_at timestamp, for example); can be performed atomically; does not have `require_atomic? false`; has at least one authorizer (typically `Ash.Policy.Authorizer`); and has at least one `change` (on the resource's `changes` block or in the action itself). This is where the side-effects would be performed when they should not have been.\n\nThis problem has been patched in `2.4.10` of `ash_postgres`. Several workarounds are available. Potentially affected users may determine that none of their actions are vulnerable using a script the maintainers provide in the GitHub Security Advisory, add `require_atomic? false` to any potentially affected update action, replace any usage of `Ash.update` with `Ash.bulk_update` for an affected action, and/or add an update timestamp to their action."}], "source": {"advisory": "GHSA-hf59-7rwq-785m", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "ash_framework", "product": "ashpostgres", "cpes": ["cpe:2.3:a:ash_framework:ashpostgres:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.0", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "2.4.10", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-24T13:52:11.056367Z", "id": "CVE-2024-49756", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-24T13:59:48.830Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49756", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-24T13:52:11.056367Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ash_framework:ashpostgres:*:*:*:*:*:*:*:*"], "vendor": "ash_framework", "product": "ashpostgres", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.0"}, {"status": "affected", "version": "0", "lessThan": "2.4.10", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-24T13:59:42.775Z"}}], "cna": {"title": "AshPostgres empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability.", "source": {"advisory": "GHSA-hf59-7rwq-785m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ash-project", "product": "ash_postgres", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.4.10"}]}], "references": [{"url": "https://github.com/ash-project/ash_postgres/security/advisories/GHSA-hf59-7rwq-785m", "name": "https://github.com/ash-project/ash_postgres/security/advisories/GHSA-hf59-7rwq-785m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ash-project/ash_postgres/commit/1228fcd851f29a68609e236f7d6a2622a4b5c4ba", "name": "https://github.com/ash-project/ash_postgres/commit/1228fcd851f29a68609e236f7d6a2622a4b5c4ba", "tags": ["x_refsource_MISC"]}, {"url": "https://elixirforum.com/t/empty-update-action-with-policies/66954", "name": "https://elixirforum.com/t/empty-update-action-with-policies/66954", "tags": ["x_refsource_MISC"]}, {"url": "https://gist.github.com/zachdaniel/e49166b765978c48dfaf998d06df436e", "name": "https://gist.github.com/zachdaniel/e49166b765978c48dfaf998d06df436e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AshPostgres is the PostgreSQL data layer for Ash Framework. Starting in version 2.0.0 and prior to version 2.4.10, in certain very specific situations, it was possible for the policies of an update action to be skipped. This occurred only on \"empty\" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger.\n\nTo be vulnerable, an affected user must have an update action that is on a resource with no attributes containing an \"update default\" (updated_at timestamp, for example); can be performed atomically; does not have `require_atomic? false`; has at least one authorizer (typically `Ash.Policy.Authorizer`); and has at least one `change` (on the resource's `changes` block or in the action itself). This is where the side-effects would be performed when they should not have been.\n\nThis problem has been patched in `2.4.10` of `ash_postgres`. Several workarounds are available. Potentially affected users may determine that none of their actions are vulnerable using a script the maintainers provide in the GitHub Security Advisory, add `require_atomic? false` to any potentially affected update action, replace any usage of `Ash.update` with `Ash.bulk_update` for an affected action, and/or add an update timestamp to their action."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552: Files or Directories Accessible to External Parties"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-23T17:04:50.037Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49756", "state": "PUBLISHED", "dateUpdated": "2024-10-24T13:59:48.830Z", "dateReserved": "2024-10-18T13:43:23.454Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-23T17:04:50.037Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "AshPostgres is the PostgreSQL data layer for Ash Framework. Starting in version 2.0.0 and prior to version 2.4.10, in certain very specific situations, it was possible for the policies of an update action to be skipped. This occurred only on \"empty\" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger.\n\nTo be vulnerable, an affected user must have an update action that is on a resource with no attributes containing an \"update default\" (updated_at timestamp, for example); can be performed atomically; does not have `require_atomic? false`; has at least one authorizer (typically `Ash.Policy.Authorizer`); and has at least one `change` (on the resource's `changes` block or in the action itself). This is where the side-effects would be performed when they should not have been.\n\nThis problem has been patched in `2.4.10` of `ash_postgres`. Several workarounds are available. Potentially affected users may determine that none of their actions are vulnerable using a script the maintainers provide in the GitHub Security Advisory, add `require_atomic? false` to any potentially affected update action, replace any usage of `Ash.update` with `Ash.bulk_update` for an affected action, and/or add an update timestamp to their action."}, {"lang": "es", "value": "AshPostgres es la capa de datos PostgreSQL para Ash Framework. A partir de la versi\u00f3n 2.0.0 y antes de la versi\u00f3n 2.4.10, en ciertas situaciones muy espec\u00edficas, era posible omitir las pol\u00edticas de una acci\u00f3n de actualizaci\u00f3n. Esto solo ocurr\u00eda en acciones de actualizaci\u00f3n \"vac\u00edas\" (sin campos de cambio) y permit\u00eda que se ejecutaran sus ganchos (efectos secundarios) cuando no deber\u00edan haberse realizado. Tenga en cuenta que esto no permite leer datos nuevos a los que el usuario no deber\u00eda haber tenido acceso, solo activa un efecto secundario que un usuario no deber\u00eda haber podido activar. Para ser vulnerable, un usuario afectado debe tener una acci\u00f3n de actualizaci\u00f3n que se encuentre en un recurso sin atributos que contengan un \"valor predeterminado de actualizaci\u00f3n\" (por ejemplo, marca de tiempo update_at); se puede realizar de forma at\u00f3mica; no tiene `require_atomic? false`; tiene al menos un autorizador (normalmente `Ash.Policy.Authorizer`); y tiene al menos un `change` (en el bloque `changes` del recurso o en la acci\u00f3n misma). Aqu\u00ed es donde se realizar\u00edan los efectos secundarios cuando no deber\u00edan haberse realizado. Este problema se ha corregido en `2.4.10` de `ash_postgres`. Hay varios workarounds disponibles. Los usuarios potencialmente afectados pueden determinar que ninguna de sus acciones es vulnerable utilizando un script que los fabricantes proporcionan en el Aviso de seguridad de GitHub, agregar `require_atomic? false` a cualquier acci\u00f3n de actualizaci\u00f3n potencialmente afectada, reemplazar cualquier uso de `Ash.update` con `Ash.bulk_update` para una acci\u00f3n afectada y/o agregar una marca de tiempo de actualizaci\u00f3n a su acci\u00f3n."}], "id": "CVE-2024-49756", "lastModified": "2024-10-25T12:56:36.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-23T17:15:19.250", "references": [{"source": "security-advisories@github.com", "url": "https://elixirforum.com/t/empty-update-action-with-policies/66954"}, {"source": "security-advisories@github.com", "url": "https://gist.github.com/zachdaniel/e49166b765978c48dfaf998d06df436e"}, {"source": "security-advisories@github.com", "url": "https://github.com/ash-project/ash_postgres/commit/1228fcd851f29a68609e236f7d6a2622a4b5c4ba"}, {"source": "security-advisories@github.com", "url": "https://github.com/ash-project/ash_postgres/security/advisories/GHSA-hf59-7rwq-785m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}