PT-2025-36416 · Ash · Ash
Jonatan Männchen
+1
·
Published
2025-09-07
·
Updated
2025-09-15
·
CVE-2025-48042
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
ash versions prior to 3.5.39
Description
An incorrect authorization vulnerability exists in ash, allowing exploitation of incorrectly configured access control security levels. This issue is associated with program files
lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex, and program routines Elixir.Ash.Actions.Create.Bulk:run/5, Elixir.Ash.Actions.Destroy.Bulk:run/6, and Elixir.Ash.Actions.Update.Bulk:run/6.Recommendations
Update to ash version 3.5.39 or later.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ash