From 9d24ac4e3966bccb95a2decdd9fb4d87462b77dd Mon Sep 17 00:00:00 2001 From: Matt Westcott Date: Wed, 1 May 2024 12:15:09 +0100 Subject: [PATCH] Release note for CVE-2024-32882 in 6.0.3 --- CHANGELOG.txt | 1 + docs/extending/generic_views.md | 2 ++ docs/releases/6.0.3.md | 8 ++++++++ 3 files changed, 11 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 96cae4571229..175468340dfc 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -120,6 +120,7 @@ Changelog 6.0.3 (xx.xx.xxxx) - IN DEVELOPMENT ~~~~~~~~~~~~~~~~~~ + * Fix: CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet` (Ben Morse, Joshua Munn, Jake Howard, Sage Abdullah) * Fix: Respect `WAGTAIL_ALLOW_UNICODE_SLUGS` setting when auto-generating slugs (LB (Ben) Johnston) * Fix: Use correct URL when redirecting back to page search results after an AJAX search (Sage Abdullah) * Fix: Reinstate missing static files in style guide (Sage Abdullah) diff --git a/docs/extending/generic_views.md b/docs/extending/generic_views.md index 763aa332b9a3..2fc603ccee15 100644 --- a/docs/extending/generic_views.md +++ b/docs/extending/generic_views.md @@ -8,6 +8,8 @@ Wagtail provides several generic views for handling common tasks such as creating / editing model instances and chooser modals. For convenience, these views are bundled in [viewsets](viewsets_reference). +(modelviewset)= + ## ModelViewSet The {class}`~wagtail.admin.viewsets.model.ModelViewSet` class provides the views for listing, creating, editing, and deleting model instances. For example, if we have the following model: diff --git a/docs/releases/6.0.3.md b/docs/releases/6.0.3.md index 63d6bd501b63..ab0a0da64e16 100644 --- a/docs/releases/6.0.3.md +++ b/docs/releases/6.0.3.md @@ -11,6 +11,14 @@ depth: 1 ## What's new +### CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet` + +This release addresses a permission vulnerability in the Wagtail admin interface. If a model has been made available for editing through the [`wagtail.contrib.settings`](/reference/contrib/settings) module or [ModelViewSet](modelviewset), and the permission argument on FieldPanel has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value. + +The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected. + +Many thanks to Ben Morse and Joshua Munn for reporting this issue, and Jake Howard and Sage Abdullah for the fix. For further details, please see [the CVE-2024-32882 security advisory](https://github.com/wagtail/wagtail/security/advisories/GHSA-w2v8-php4-p8hc). + ### Bug fixes * Respect `WAGTAIL_ALLOW_UNICODE_SLUGS` setting when auto-generating slugs (LB (Ben) Johnston)