8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-1314

GHSA ID

GHSA-hvp4-vrv2-8wrq

EPSS Score

CWE

Published

2/8/2024

Updated

2/8/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-1314

CVE-2024-1314:
Kinto Attachment's attachments can be replaced on read-only records

Impact

The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent (collection or bucket).

And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request.

Note that if the parent has no explicit read permission, then the records attachments are safe.

Patches

Patch released in kinto-attachment 6.4.0
https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1

Workarounds

None if the read permission has to remain granted.

Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1879034

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-1314

GHSA ID

GHSA-hvp4-vrv2-8wrq

EPSS Score

CWE

Published

2/8/2024

Updated

2/8/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
kinto-attachment	pip	<= 6.3.2	6.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper authorization context handling in AttachmentRouteFactory. The pre-patch code didn't set 'self.current_object = existing' when records existed, which is critical for Kinto's authorization policy to distinguish between collection-level and record-level operations. This caused the system to check create permissions on the parent collection (which might be granted via read inheritance) instead of requiring write permissions on the existing record. The patch explicitly sets the current_object context and adds security-focused test cases to validate this behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *tt***m*nt *il* o* *n *xistin* r**or* **n ** r*pl**** i* t** us*r **s `"r***"` p*rmission on on* o* t** p*r*nt (*oll**tion or *u*k*t). *n* i* t** `"r***"` p*rmission is *iv*n to `"syst*m.*v*ryon*"` on on* o* t** p*r*nt, t**n t** *tt*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *ut*oriz*tion *ont*xt **n*lin* in *tt***m*ntRout****tory. T** pr*-p*t** *o** *i*n't s*t 's*l*.*urr*nt_o*j**t = *xistin*' w**n r**or*s *xist**, w*i** is *riti**l *or Kinto's *ut*oriz*tion poli*y to *istin*uis* *

8.6

Basic Information

Concerned about an active attack path?

CVE-2024-1314: Kinto Attachment's attachments can be replaced on read-only records

Impact

Patches

Workarounds

References

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-1314:
Kinto Attachment's attachments can be replaced on read-only records

Vulnerability Intelligence
Miggo AI