=====================================================================

                             CERT-Renater

                  Note d'Information No. 2023/VULN143

_____________________________________________________________________

DATE                : 05/04/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Galaxy versions prior to
                                 22.01, 22.05, 23.0.

=====================================================================
https://github.com/galaxyproject/galaxy/security/advisories/GHSA-j8q2-r4g5-f22j
_____________________________________________________________________


Unauthorized modification of pages/visualizations due to insufficient
permission check

Moderate
martenson published GHSA-j8q2-r4g5-f22j
Package
No package listed

Affected versions
likely all

Patched versions
>= 22.01


Description

Attacker can modify or delete any Galaxy Visualization or Galaxy Page
given they know the encoded ID of it. Additionally they can copy or
import any Galaxy Visualization given they know the encoded ID of it.


Impact

All supported versions of Galaxy are affected i.e. 22.01, 22.05, and
23.0. Unsupported versions are likely affected as far back as the
functionality of Visualizations/Pages exists.


Patches

     Galaxy 22.01: 
https://depot.galaxyproject.org/patch/GX-2023-0001/modify_pages_viz-release_22.01.patch
     Galaxy 22.05: 
https://depot.galaxyproject.org/patch/GX-2023-0001/modify_pages_viz-release_22.05.patch
     Galaxy 23.0: 
https://depot.galaxyproject.org/patch/GX-2023-0001/modify_pages_viz-release_23.0.patch

To apply the patch, navigate to the root of your Galaxy
directory, then execute:

wget -O - "URL of the patch for your version from above" | patch -p1

or:

curl "URL of the patch for your version from above" | patch -p1

You can test application of the patch before applying it by adding
the --dry-run flag to patch.

For the changes to take effect, you must restart all Galaxy server
processes.

All supported branches of Galaxy (>= release_22.01) were amended
with the supplied patches.


Workarounds

You must apply the supplied patch or update to the release_22.01 or
newer. There are no supported workarounds.


References

This vulnerability has been discovered and responsibly disclosed
by @familiardisaster using the huntr.dev platform. The Galaxy
Project is grateful for the help.


Severity
Moderate

CVE ID
CVE-2023-27578

Weaknesses
CWE-284


Credits

     @familiardisaster familiardisaster

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================