Neos Flow Information disclosure in entity security
Moderate severity
GitHub Reviewed
Published
May 17, 2024
to the GitHub Advisory Database
•
Updated May 17, 2024
Package
Affected versions
>= 3.0.0, < 3.0.12
>= 3.1.0, < 3.1.10
>= 3.2.0, < 3.2.13
>= 3.3.0, < 3.3.13
>= 4.0.0, < 4.0.6
Patched versions
3.0.12
3.1.10
3.2.13
3.3.13
4.0.6
Description
Published to the GitHub Advisory Database
May 17, 2024
Reviewed
May 17, 2024
Last updated
May 17, 2024
If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user (like the company he belongs to), entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from the cache which were built for other users; and thus users could see entities which were not destined for them.
Am I affected?
All Flow versions (starting in version 3.0, where Entity Security was introduced) were affected.
References