Release note for CVE-2024-32882 in 6.1

wagtail · May 1, 2024 · 54b33e8 · 54b33e8
1 parent 6f88076
commit 54b33e8
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -41,6 +41,7 @@ Changelog
  * Populate django-treebeard cache during page routing to improve performance of `get_parent` (Nigel van Keulen)
  * Add a new user profile preference to configure user interface information density (Thibaud Colas)
  * Add additional field types to Elasticsearch mapping (scott-8)
+ * Fix: CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet` (Ben Morse, Joshua Munn, Jake Howard, Sage Abdullah)
  * Fix: Fix typo in `__str__` for MySQL search index (Jake Howard)
  * Fix: Ensure that unit tests correctly check for migrations in all core Wagtail apps (Matt Westcott)
  * Fix: Correctly handle `date` objects on `human_readable_date` template tag (Jhonatan Lopes)

diff --git a/docs/releases/6.1.md b/docs/releases/6.1.md
@@ -64,6 +64,13 @@ For sites managing favicons via the CMS, Wagtail now supports [`.ico` favicon ge
 
 This feature was developed by Jake Howard.
 
+### CVE-2024-32882: Permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet`
+
+This release addresses a permission vulnerability in the Wagtail admin interface. If a model has been made available for editing through the [`wagtail.contrib.settings`](/reference/contrib/settings) module or [ModelViewSet](modelviewset), and the permission argument on FieldPanel has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value.
+
+The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected.
+
+Many thanks to Ben Morse and Joshua Munn for reporting this issue, and Jake Howard and Sage Abdullah for the fix. For further details, please see [the CVE-2024-32882 security advisory](https://github.com/wagtail/wagtail/security/advisories/GHSA-w2v8-php4-p8hc).
 
 ### Other features