CVE-2022-48367

Published: Mar 12, 2023Modified: Mar 4, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.

Affected (11)

Products: Ibexa: Digital Experience Platform, Ez Platform Kernel, Ezplatform Http Cache Fastly, Fastly, Kernel

5 products

Digital Experience Platform

Ez Platform Kernel

Ezplatform Http Cache Fastly

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Ibexa Digital Experience Platform	From 3.3.0 to 3.3.18
Ibexa Digital Experience Platform	From 4.0.0 to 4.0.5
Ibexa Digital Experience Platform	From 4.1.0 to 4.1.2
Ibexa Ez Platform Kernel	From 1.3.0 to 1.3.17
Ibexa Ez Platform Kernel	From 7.5.0 to 7.5.28
Ibexa Ezplatform Http Cache Fastly	From 1.1.0 to 1.1.9
Ibexa Ezplatform Http Cache Fastly	From 2.0.0 to 2.0.11
Ibexa Fastly	From 4.0.0 to 4.0.5
Ibexa Fastly	From 4.1.0 to 4.1.2
Ibexa Kernel	From 4.0.0 to 4.0.7
Ibexa Kernel	From 4.1.0 to 4.1.4

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge

Source: cve@mitre.org

Vendor Advisory

https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x

Source: cve@mitre.org

Vendor Advisory

https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.