Nixpkgs security tracker
7.7 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored reference https://g…
-
@LeSuisse
ignored
17 packages
- go-outline
- mdbook-pdf-outline
- typstPackages.suboutline
- python312Packages.outlines
- python313Packages.outlines
- typstPackages.suboutline_0_1_0
- typstPackages.suboutline_0_2_0
- typstPackages.suboutline_0_3_0
- mplus-outline-fonts.osdnRelease
- python312Packages.outlines-core
- python313Packages.outlines-core
- python314Packages.outlines-core
- typstPackages.outline-summaryst
- mplus-outline-fonts.githubRelease
- pkgsRocm.python3Packages.outlines
- typstPackages.outline-summaryst_0_1_0
- pkgsRocm.python3Packages.outlines-core
- @LeSuisse accepted
-
@LeSuisse
ignored
maintainer.ignore
4 maintainers
- @cab404
- @e1mo
- @xanderio
- @yrd
- @LeSuisse published on GitHub
Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces
Outline is a service that allows for collaborative documentation. The `shares.create` API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both `collectionId` and `documentId` are provided in the request, the authorization logic only checks access to the collection, completely ignoring the document. This allows an authenticated attacker to generate a valid public share link for any document on the platform, including documents belonging to other workspaces. The full document contents can then be retrieved via the `documents.info` endpoint. Version 1.7.0 contains a patch.
References
-
https://github.com/outline/outline/security/advisories/GHSA-23jj-rp48-w7q7 x_refsource_CONFIRM
Ignored references (1)
-
https://github.com/outline/outline/releases/tag/v1.7.0 x_refsource_MISC
Affected products
- ==>= 0.86.0, < 1.7.0
Matching in nixpkgs
Ignored packages (17)
pkgs.go-outline
Utility to extract JSON representation of declarations from a Go source file
-
nixos-unstable 2021-06-08
- nixpkgs-unstable 2021-06-08
- nixos-unstable-small 2021-06-08
-
nixos-25.11 2021-06-08
- nixos-25.11-small 2021-06-08
- nixpkgs-25.11-darwin 2021-06-08
pkgs.mdbook-pdf-outline
None
pkgs.typstPackages.suboutline
An outline function just for one section and nothing else
pkgs.python312Packages.outlines
Structured text generation
pkgs.python313Packages.outlines
Structured text generation
pkgs.typstPackages.suboutline_0_1_0
An outline function just for one section and nothing else
pkgs.typstPackages.suboutline_0_2_0
An outline function just for one section and nothing else
pkgs.typstPackages.suboutline_0_3_0
An outline function just for one section and nothing else
pkgs.mplus-outline-fonts.osdnRelease
M+ Outline Fonts (legacy OSDN release)
pkgs.python312Packages.outlines-core
Structured text generation (core)
pkgs.python313Packages.outlines-core
Structured text generation (core)
pkgs.python314Packages.outlines-core
Structured text generation (core)
pkgs.typstPackages.outline-summaryst
A basic template for including a summary for each entry in the table of contents. Useful for writing books
pkgs.mplus-outline-fonts.githubRelease
M+ Outline Fonts (GitHub release)
-
nixos-unstable 2022-05-19
- nixpkgs-unstable 2022-05-19
- nixos-unstable-small 2022-05-19
-
nixos-25.11 2022-05-19
- nixos-25.11-small 2022-05-19
- nixpkgs-25.11-darwin 2022-05-19
pkgs.pkgsRocm.python3Packages.outlines
Structured text generation
pkgs.typstPackages.outline-summaryst_0_1_0
A basic template for including a summary for each entry in the table of contents. Useful for writing books
Package maintainers
Ignored maintainers (4)
-
@cab404 Vladimir Serov <cab404@mailbox.org>
-
@e1mo Nina Fromm <nixpkgs@e1mo.de>
-
@xanderio Alexander Sieg <alex@xanderio.de>
-
@yrd Yannik Rödel <nix@yannik.info>