GHSA-9cw3-j7wg-jwj8: Neos Flow Information disclosure in entity security

May 17, 2024

If you had used entity security and wanted to secure entities not just based on the user’s role, but on some property of the user (like the company he belongs to), entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from the cache which were built for other users; and thus users could see entities which were not destined for them.

References

github.com/FriendsOfPHP/security-advisories/blob/master/neos/flow/2017-04-12.yaml
github.com/advisories/GHSA-9cw3-j7wg-jwj8
github.com/neos/flow
www.neos.io/blog/flow-bugfix-releases-for-entity-security.html

Code Behaviors & Features

Detect and mitigate GHSA-9cw3-j7wg-jwj8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →