CIVI-SA-2022-07: APIv3 Access Bypass

Published
2022-06-01 12:00
Written by

A vulnerability in processing APIv3 AJAX requests could allow a malicious request to bypass permission checks.

Security Risk
Highly Critical
Vulnerability
Access Bypass
Affected Versions

5.50.beta1, 5.49.3, and 5.45.5 (and earlier)

Fixed Versions

5.50.0, 5.49.4, and 5.45.6 ESR (and later)

Publication Date
Solutions

Any ONE of the following:

  • (Recommended) Upgrade to CiviCRM v5.50.0, v5.49.4, or 5.45.6 ESR
  • (Alternative Mitigation) Ensure that permissions access AJAX API and access CiviCRM are only available to trusted, administrative users. (NOTE: This mitigation is only practical on small, simple sites. It may be impractical if the site has semi-trusted, backend users or if it has any extensions that use APIv3 AJAX.)
Credits

Artful Robot - Rich Lott; JMA Consulting - Seamus Lee; Wikimedia Foundation - Eileen McNaughton; CiviCRM - Coleman Watts, Tim Otten

References

security/core#116