CVE-2024-51758

{"id": "CVE-2024-51758", "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 2.3, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "LOW", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-07T18:15:17.787", "references": [{"url": "https://filamentphp.com/docs/3.x/actions/prebuilt-actions/export#customizing-the-storage-disk", "source": "security-advisories@github.com"}, {"url": "https://github.com/filamentphp/filament/security/advisories/GHSA-4hxw-gc2q-f6f3", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1188"}]}], "descriptions": [{"lang": "en", "value": "Filament is a collection of full-stack components for accelerated Laravel development. All Filament features that interact with storage use the `default_filesystem_disk` config option. This allows the user to easily swap their storage driver to something production-ready like `s3` when deploying their app, without having to touch multiple configuration options and potentially forgetting about some. The default disk is set to `public` when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support. However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html) suggests that having the `public` disk as the default disk in Filament is a security vulnerability itself. As such, we have implemented a measure to protect users whereby if the `public` disk is set as the default disk, the exports feature will automatically swap it out for the `local` disk, if that exists. Users who set the default disk to `local` or `s3` already are not affected. If a user wants to continue to use the `public` disk for exports, they can by setting the export disk deliberately. This change has been included in the 3.2.123 release and all users who use the `public` disk are advised to upgrade."}, {"lang": "es", "value": "Filament es una colecci\u00f3n de componentes full-stack para el desarrollo acelerado de Laravel. Todas las caracter\u00edsticas de Filament que interact\u00faan con el almacenamiento usan la opci\u00f3n de configuraci\u00f3n `default_filesystem_disk`. Esto permite al usuario cambiar f\u00e1cilmente su controlador de almacenamiento a algo listo para producci\u00f3n como `s3` al implementar su aplicaci\u00f3n, sin tener que tocar m\u00faltiples opciones de configuraci\u00f3n y potencialmente olvidarse de algunas. El disco predeterminado est\u00e1 configurado como `public` cuando instala Filament por primera vez, ya que esto permite a los usuarios comenzar r\u00e1pidamente a desarrollar con un disco funcional que permite caracter\u00edsticas como vistas previas de carga de archivos localmente sin la necesidad de configurar un disco S3 con soporte de URL temporal. Sin embargo, algunas caracter\u00edsticas de Filament, como las exportaciones, tambi\u00e9n dependen del almacenamiento, y los archivos que se almacenan contienen datos que a menudo no deber\u00edan ser p\u00fablicos. Esto no es un problema para las muchas aplicaciones implementadas, ya que muchas usan un disco predeterminado seguro como S3 en producci\u00f3n. Sin embargo, [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html) sugiere que tener el disco \"p\u00fablico\" como el disco predeterminado en Filament es una vulnerabilidad de seguridad en s\u00ed misma. Como tal, hemos implementado una medida para proteger a los usuarios mediante la cual si el disco \"p\u00fablico\" se establece como el disco predeterminado, la funci\u00f3n de exportaciones lo cambiar\u00e1 autom\u00e1ticamente por el disco \"local\", si existe. Los usuarios que ya configuran el disco predeterminado como \"local\" o \"s3\" no se ven afectados. Si un usuario desea continuar usando el disco \"p\u00fablico\" para las exportaciones, puede hacerlo configurando el disco de exportaci\u00f3n deliberadamente. Este cambio se ha incluido en la versi\u00f3n 3.2.123 y se recomienda a todos los usuarios que usan el disco \"p\u00fablico\" que actualicen."}], "lastModified": "2024-11-21T17:15:23.143", "sourceIdentifier": "security-advisories@github.com"}