CIVI-SA-2022-03: Permission Advice

2022-03-16 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

This is not a security vulnerability. It is a mitigation to protect against misconfiguration.

CiviCRM includes a large number of configurable permissions. Administrators may assign these permissions to various users and roles. This is powerful functionality that accommodates diverse needs, but it provides the opportunity for misconfiguration.

Misconfigurations may arise for a few reasons, such as:

  • Misunderstandings - A permission named "access CiviContribute" is ambiguous. It can be interpreted to mean "access CiviContribute like a staffer" or "access CiviContribute like a member of the public" or "access CiviContribute like an administrator". One must look past this technical name to find a meaning.
  • Subjectivity - "Appropriate" and "inappropriate" permissions depend on the organization, its people, its goals, etc.

The current update includes an additional guardrail to protect against misconfiguration. For example, "access CiviContribute" is intended for backend (staff/volunteer/fundraising) users who manage contributions. It is hard to imagine ever granting "access CiviContribute" to anonymous users (except in that the name is ambiguous). This misconfiguration will now produce a warning.

This update is not exhaustive, and future monthly iterations may refine the advice and detection for unusual configurations.

Security Risk
Less Critical
Affected Versions

All versions less than or equal to: 5.47.1, 5.46.2, 5.45.3

Fixed Versions

CiviCRM versions 5.47.2, 5.46.3, and 5.45.4 ESR

Publication Date

Any ONE of the following:

  • Upgrade to CiviCRM v5.47.2+, v5.46.3+, or v5.45.4+ ESR; and check status messages
  • Check permission configuration

Bob Silvern of San Diego 350
Richard Lott of Artful Robot
Seamus Lee of JMA Consulting and CiviCRM
Tim Otten of CiviCRM