5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6165

GHSA ID

GHSA-589q-75r3-mfq4

EPSS Score

0.37569%

CWE

CWE-276

Published

5/24/2022

Updated

2/7/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-6165

CVE-2020-6165: Silverstripe has Incorrect Default Permissions

SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., where viewing records exposed through admin/graphql requires administrator permissions). However, if custom GraphQL endpoints have been configured for a specific implementation (usually under /graphql), this vulnerability could also be exploited through unauthenticated requests. This vulnerability only applies to reading records; it does not allow unauthorised changing of records.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6165

GHSA ID

GHSA-589q-75r3-mfq4

EPSS Score

0.37569%

CWE

CWE-276

Published

5/24/2022

Updated

2/7/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
silverstripe/recipe-cms	composer	>= 4.5.0, < 4.5.3	4.5.3
silverstripe/graphql	composer	>= 3.2.0, < 3.2.4	3.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper ordering of permission checks relative to query limitations. The changelogs explicitly mention moving 'query resolution after the DataListQuery has been altered' and ensuring 'canView() check is run on items.' This indicates that DataListQuery::resolve() executed permission checks on the full dataset before applying pagination/limits, leaving residual unauthorized records in the truncated result. The CanViewPermissionChecker::checkItem() method was likely invoked at the wrong stage in this flow. The patch corrected this by reordering the steps to apply permissions after query constraints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Silv*rStrip* *.*.* *llows *tt**k*rs to r*** **rt*in r**or*s t**t s*oul* not **v* ***n pl**** into * r*sult s*t. T*is *****ts silv*rstrip*/r**ip*-*ms. T** *utom*ti* p*rmission-****kin* m****nism in t** silv*rstrip*/*r*p*ql mo*ul* *o*s not provi** *omp

Reasoning

T** vuln*r**ility st*ms *rom improp*r or**rin* o* p*rmission ****ks r*l*tiv* to qu*ry limit*tions. T** ***n**lo*s *xpli*itly m*ntion movin* 'qu*ry r*solution **t*r t** `**t*ListQu*ry` **s ***n *lt*r**' *n* *nsurin* '**nVi*w() ****k is run on it*ms.'

5.3

Basic Information

Concerned about an active attack path?

CVE-2020-6165: Silverstripe has Incorrect Default Permissions

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI