CVE-2024-1314

Name of the Vulnerable Software and Affected Versions kinto-attachment versions prior to 6.4.0

Description The issue allows an attachment file of an existing record to be replaced if a user has read permission on one of the parent collections or buckets. Furthermore, if the read permission is granted to system.Everyone on one of the parents, an attachment can be replaced on a record using an anonymous request. Records' attachments are safe only if the parent has no explicit read permission.

Recommendations For versions prior to 6.4.0, update to version 6.4.0 or apply the patch individually to resolve the issue. As a temporary workaround, consider restricting read permission on parent collections or buckets to minimize the risk of exploitation.