CVE-2022-39322

Published: Oct 25, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

9.1

CRITICAL

Description

@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than `multiselect` are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the `multiselect` field.

Vendor	Product	Versions
keystonejs	keystone	affected `>= 2.2.0, < 2.3.1`

Weaknesses (CWE)

CWE-285

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/keystonejs/keystone/security/advisories/GHSA-6mhr-52mv-6v6f

https://github.com/keystonejs/keystone/commit/65c6ee3deef23605fc72b80230908696a7a65e7c

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-39322

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References