N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-9gjv-jvm7-vv2v

GHSA-9gjv-jvm7-vv2v: Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users

Summary

Users with the Guest role could receive private sub-object data (e.g. private alternate names, private addresses, private note/citation/media handles) through list API endpoints such as GET /api/people/, GET /api/places/, GET /api/events/, and all other object list endpoints.

This does not expose objects (people, places, events, …) that are themselves marked private. Top-level private objects are correctly excluded from all responses. Only sub-object data attached to otherwise-public objects is affected.

Affected Versions

All versions of Gramps Web API prior to the fix.

Root Cause

The vulnerability originates from the behaviour of PrivateProxyDb.iter_*() in Gramps core. The ProxyDbBase.__iter_object() helper, which backs all iter_*() methods in PrivateProxyDb, correctly filters out top-level private objects but returns the remaining objects unsanitized — i.e. without stripping private sub-object references. In contrast, PrivateProxyDb.get_*_from_handle() does call the appropriate sanitize_*() function.

Gramps Web API's ModifiedPrivateProxyDb (which wraps the raw database for non-admin users) inherited this behaviour without override.

The same issue affects Gramps desktop features that consume iter_*() output: reports and exports generated via Gramps desktop using PrivateProxyDb may also include private sub-object data that should have been stripped.

Conditions Required

This issue only affects trees in which sub-objects have been explicitly marked private in Gramps desktop. The Gramps Web frontend UI does not expose controls for setting the private flag on sub-objects (alternate names, addresses, notes, citations, media references, event references, etc.). In practice, such flags are set in Gramps desktop and then synced or imported into Gramps Web.

Impact

When the conditions above are met, a user with the Guest role querying any list endpoint receives:

Full content of private embedded sub-objects on people, such as alternate names (first name, surname, etc.) and addresses (street, city, etc.).
Handles referencing private notes, citations, and media attached to places, events, sources, and other objects. These reveal the existence of private linked objects but not their content; fetching those objects by handle is correctly blocked by the proxy.

Fix

ModifiedPrivateProxyDb now overrides all iter_*() object methods to check obj.get_privacy() directly on the already-loaded object (eliminating the redundant per-object refetch) and to call the appropriate sanitize_*() function before yielding each object. This is consistent with the behaviour of get_*_from_handle() in PrivateProxyDb.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-9gjv-jvm7-vv2v

GHSA-9gjv-jvm7-vv2v:

N/A

CVSS Score

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gramps-webapi	pip	< 3.11.0	3.11.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allowed guest users to access private sub-object data (e.g., private notes, names, addresses) attached to public objects. The root cause was that the iter_* methods in gramps_webapi.api.db_proxy.ModifiedPrivateProxyDb did not sanitize the objects they returned. These methods inherited their behavior from gramps.gen.db.proxy.PrivateProxyDb from the Gramps core library. The iter_* methods in PrivateProxyDb filter out top-level private objects but do not sanitize the sub-objects of the public objects they return. This allowed private data to leak through the API list endpoints.

The fix, identified in commit d396722132ea64bc2bc611874ce3f9b239ea9a5b, was to override all nine iter_* methods in ModifiedPrivateProxyDb. The patch adds logic to each of these methods to explicitly call the corresponding sanitize_* method for each object before yielding it. This ensures that any private sub-object data is stripped before being sent in an API response.

Vulnerable functions

ModifiedPrivateProxyDb.iter_people

gramps_webapi/api/db_proxy.py

The function `iter_people` in `ModifiedPrivateProxyDb` was vulnerable because it yielded `Person` objects without sanitizing them. The parent class method `super().iter_people()` returns objects that may contain private sub-objects (like private alternate names or addresses). By yielding these objects directly, the function exposed this private data to unauthorized users, such as guests, through API endpoints like `GET /api/people/`.

ModifiedPrivateProxyDb.iter_families

gramps_webapi/api/db_proxy.py

The function `iter_families` in `ModifiedPrivateProxyDb` was vulnerable because it yielded `Family` objects without sanitizing them. The parent class method `super().iter_families()` returns objects that may contain private sub-objects. By yielding these objects directly, the function exposed this private data to unauthorized users, such as guests, through API endpoints.

ModifiedPrivateProxyDb.iter_events

gramps_webapi/api/db_proxy.py

The function `iter_events` in `ModifiedPrivateProxyDb` was vulnerable because it yielded `Event` objects without sanitizing them. The parent class method `super().iter_events()` returns objects that may contain private sub-objects. By yielding these objects directly, the function exposed this private data to unauthorized users, such as guests, through API endpoints like `GET /api/events/`.

ModifiedPrivateProxyDb.iter_places

gramps_webapi/api/db_proxy.py

The function `iter_places` in `ModifiedPrivateProxyDb` was vulnerable because it yielded `Place` objects without sanitizing them. The parent class method `super().iter_places()` returns objects that may contain private sub-objects. By yielding these objects directly, the function exposed this private data to unauthorized users, such as guests, through API endpoints like `GET /api/places/`.

ModifiedPrivateProxyDb.iter_sources

gramps_webapi/api/db_proxy.py

The function `iter_sources` in `ModifiedPrivateProxyDb` was vulnerable because it yielded `Source` objects without sanitizing them. The parent class method `super().iter_sources()` returns objects that may contain private sub-objects. By yielding these objects directly, the function exposed this private data to unauthorized users, such as guests, through API endpoints.

ModifiedPrivateProxyDb.iter_citations

gramps_webapi/api/db_proxy.py

The function `iter_citations` in `ModifiedPrivateProxyDb` was vulnerable because it yielded `Citation` objects without sanitizing them. The parent class method `super().iter_citations()` returns objects that may contain private sub-objects. By yielding these objects directly, the function exposed this private data to unauthorized users, such as guests, through API endpoints.

ModifiedPrivateProxyDb.iter_repositories

gramps_webapi/api/db_proxy.py

The function `iter_repositories` in `ModifiedPrivateProxyDb` was vulnerable because it yielded `Repository` objects without sanitizing them. The parent class method `super().iter_repositories()` returns objects that may contain private sub-objects. By yielding these objects directly, the function exposed this private data to unauthorized users, such as guests, through API endpoints.

ModifiedPrivateProxyDb.iter_media

gramps_webapi/api/db_proxy.py

The function `iter_media` in `ModifiedPrivateProxyDb` was vulnerable because it yielded `Media` objects without sanitizing them. The parent class method `super().iter_media()` returns objects that may contain private sub-objects. By yielding these objects directly, the function exposed this private data to unauthorized users, such as guests, through API endpoints.

ModifiedPrivateProxyDb.iter_notes

gramps_webapi/api/db_proxy.py

The function `iter_notes` in `ModifiedPrivateProxyDb` was vulnerable because it yielded `Note` objects without sanitizing them. The parent class method `super().iter_notes()` returns objects that may contain private sub-objects. By yielding these objects directly, the function exposed this private data to unauthorized users, such as guests, through API endpoints.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-9gjv-jvm7-vv2v: Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users

Summary

Affected Versions

Root Cause

Conditions Required

Impact

Fix

GHSA-9gjv-jvm7-vv2v:

N/A

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Basic Information

Basic Information

GHSA-9gjv-jvm7-vv2v: Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users

Summary

Affected Versions

Root Cause

Conditions Required

Impact

Fix

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI