Security advisory: IBEXA-SA-2022-004

Ineffective object state limitation and Unauthenticated Fastly purge
Publication date:
28/04/2022, 14:23


Affected versions: ibexa/core v4.1.*, v4.0.*, ibexa/fastly v4.1.*, v4.0.*, ezsystems/ezplatform-kernel v1.3.*, ezsystems/ezplatform-http-cache-fastly v2.0.*, v1.1.*, ezsystems/ezpublish-kernel v7.5.*
Resolving versions: ibexa/core v4.1.2, v4.0.5, ibexa/fastly v4.1.2, v4.0.5, ezsystems/ezplatform-kernel v1.3.17, ezsystems/ezplatform-http-cache-fastly v2.0.11, v1.1.9, ezsystems/ezpublish-kernel v7.5.28

This security advisory is about two vulnerabilities, which both affect all supported branches of Ibexa DXP and eZ Platform. The fixes are included in these 4 releases which were made today: Ibexa DXP v4.1.2, v4.0.5, and v3.3.18, and eZ Platform v2.5.29.

The first is about object state limitation. This is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.

The issue was reported to us by Patrick Allaert. We are very grateful for his research and responsible disclosure to us.

The second vulnerability affects sites using Fastly. Single PURGE requests can by default be done without authentication. This can be abused to purge cache for URLs one by one. We strongly recommend you apply the fix as soon as possible, if you are using Fastly.

This security advisory is distributed via Composer, please see "Resolving versions" above.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories