CVE-2022-1810: Publify has Improper Access Controls
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.18282%
CWE
Published
5/24/2022
Updated
8/25/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
publify_core | rubygems | < 9.2.9 | 9.2.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the pre-patch implementation where:
- The ID parameter was taken from either article[id] or URL params[:id]
- Authorization check used URL params[:id] while the actual operation used the user-controlled article[id]
- This mismatch allowed authorization bypass via parameter tampering
The commit fixes this by strictly using params[:id] for both authorization and article lookup, and the added test case explicitly verifies protection against article[id] parameter manipulation.