CVE-2021-43781

Name of the Vulnerable Software and Affected Versions: Invenio-Drafts-Resources versions prior to 0.13.7 and 0.14.6

Description: Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. The issue arises from improper permission checks when a record is published, making it exploitable in a default installation of InvenioRDM. An authenticated user can publish draft records of other users via REST API calls if they know the record identifier and the draft validates. However, the attacker cannot modify the data in the record, such as changing a record from restricted to public.

Recommendations: For Invenio-Drafts-Resources versions prior to 0.13.7, update to version 0.13.7 or later. For Invenio-Drafts-Resources versions prior to 0.14.6, update to version 0.14.6 or later. As a temporary workaround, consider restricting access to the REST API endpoints related to publishing draft records until a patch is applied.