CVE-2019-12245: Incorrect Permission Assignment for Critical Resource

November 12, 2019 (updated February 5, 2024)

SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.

References

forum.silverstripe.org/c/releases
github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/assets/CVE-2019-12245.yaml
github.com/advisories/GHSA-jvx5-rm6q-gx7p
nvd.nist.gov/vuln/detail/CVE-2019-12245
www.silverstripe.org/download/security-releases/
www.silverstripe.org/download/security-releases/CVE-2019-12245
www.silverstripe.org/download/security-releases/cve-2019-12245/

Detect and mitigate CVE-2019-12245 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →