CVE-2019-14273: Broken access control on files
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.55844%
CWE
Published
7/15/2020
Updated
2/1/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
silverstripe/framework | composer | >= 4.0.0, < 4.3.5 | 4.3.5 |
silverstripe/framework | composer | >= 4.4.0, < 4.4.4 | 4.4.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing access control checks when serving files embedded in published content. File::getURL()
likely provided direct access URLs without considering embedded context permissions, while AssetStore::getAsStream()
served content without re-validating permissions for the current request context. This allowed protected files to be accessed through published content links despite folder protection settings. The migration task mentioned in SilverStripe's advisory suggests changes to URL generation and access validation patterns.