CVE-2024-49756

Name of the Vulnerable Software and Affected Versions: AshPostgres versions 2.0.0 through 2.4.9

Description: The issue is related to the skipping of policies in update actions under specific conditions, allowing side effects to be triggered when they should not have been. This occurs only on "empty" update actions with no changing fields. To be vulnerable, an affected user must have an update action that meets certain criteria, including being on a resource with no attributes containing an "update default", being performable atomically, not having require atomic? false, having at least one authorizer, and having at least one change. The problem does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger.

Recommendations: To resolve the issue for versions 2.0.0 through 2.4.9, update to version 2.4.10 of ash postgres. As a temporary workaround, consider adding require atomic? false to any potentially affected update action. Alternatively, replace any usage of Ash.update with Ash.bulk update for an affected action. Another option is to add an update timestamp to the action. Determine that none of the actions are vulnerable using the provided script.