10.0 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @mweinelt Activity log
- Created automatic suggestion
-
@mweinelt
removed
5 packages
- ovito
- nvitop
- python312Packages.devito
- python313Packages.devito
- python314Packages.devito
- @mweinelt dismissed
Vito: Cross-project privilege escalation in workflow site-creation actions allows unauthorized server modification
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.
References
- https://github.com/vitodeploy/vito/security/advisories/GHSA-3m6w-8qh4-qr76 x_refsource_CONFIRM
- https://github.com/vitodeploy/vito/pull/1036 x_refsource_MISC
- https://github.com/vitodeploy/vito/commit/0fdcfe5f0b93da644a0456e0e4544763828e3326 x_refsource_MISC
- https://github.com/vitodeploy/vito/releases/tag/3.20.3 x_refsource_MISC
Affected products
- ==< 3.20.3
Ignored packages (5)
pkgs.ovito
Scientific visualization and analysis software for atomistic and particle simulation data
pkgs.nvitop
Interactive NVIDIA-GPU process viewer, the one-stop solution for GPU process management
pkgs.python312Packages.devito
Code generation framework for automated finite difference computation
pkgs.python313Packages.devito
Code generation framework for automated finite difference computation
pkgs.python314Packages.devito
Code generation framework for automated finite difference computation