BookStack Security Release v21.11.2
Dan Brown posted on the 30th of November 2021
BookStack v21.11.2 has been released. This is a security release that address a couple of vulnerabilities relating to API access and page draft related content visibility:
- If the “Public” role was provided API access then the API could be accessed, in certain scenarios, by non-authenticated users even if the “Allow public access” setting was disabled.
- In some specific scenarios, content related to page drafts (Such as attachments) could be visible to non-owners (Whom would have permission to view the page if saved as a non-draft at that point).
It’s advised to upgrade as soon as possible if the API has been enabled for roles within your instance or if draft page content visibility could be a security concern for you.
Full List of Changes
- Fixed issue with greater-than-expected visibility on page-draft-related items. Thanks @haxatron for reporting. (#3086)
- Fixed issue where public API access was not limited by system public control in certain conditions. (#3091)
- Updated translations from latest Crowdin changes. (#3076)
For More Information
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack security policy to contact someone privately.