01 November 2022, 18:01

Critical

We recommend you install this security update on your site as quickly as possible.

Prevent embedded images from being accessed without correct permissions

Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure

Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 are vulnerable to embedded images being accessible without a sufficient permission check under certain conditions.

Reported by: Not disclosed
Bug report
CVE reference: CVE-2022-42707

Which versions of Mahara are fixed?

Mahara 21.10, 22.04, and 22.10 are currently supported for security fixes. You can download the latest minor point versions 21.10.5, 22.04.3, and the first stable version of 22.10 respectively to receive the fix for this security issue.

Mahara 21.04 also received the security fixes as part of 21.04.7. This is the last security release for Mahara 21.04. We recommend you upgrade to a supported version of Mahara.

Older version of Mahara are not supported with security fixes any more. However, you can patch your site by backporting the changes. The earliest backports to 21.04 that we've made relate to the series of patches for bug 1991157. You can take them as starting point for your own backports if you are on an older version of Mahara and cannot upgrade directly. You can also get in touch with us to support you with that on a consultancy basis.

Where can I find the security releases?

You can download the latest versions from Launchpad or check out the relevant branch from Git.