SCA: security update for wagtail (GHSA-w2v8-php4-p8hc)

low Tenable Self-Hosted Container Security Plugin ID 419638

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Wagtail is an open source content management system built on Django. In affected versions if a model has
been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the
`permission` argument on `FieldPanel` has been used to further restrict access to one or more fields of
the model, a user with edit permission over the model but not the specific field can craft an HTTP POST
request that bypasses the permission check on the individual field, allowing them to update its value.
This vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or
by a user who has not been granted edit access to the model in question. The editing interfaces for pages
and snippets are also unaffected. Patched versions have been released as Wagtail 6.0.3 and 6.1. Wagtail
releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade
to a patched version can avoid the vulnerability as follows: 1.For models registered through
`ModelViewSet`, register the model as a snippet instead; 2. For settings models, place the restricted
fields in a separate settings model, and configure permission at the model level. (CVE-2024-32882)

See Also

https://github.com/advisories/GHSA-w2v8-php4-p8hc

Plugin Details

Severity: Low

ID: 419638

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 3.3

Temporal Score: 2.4

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:P/A:N

CVSS Score Source: CVE-2024-32882

CVSS v3

Risk Factor: Low

Base Score: 2.7

Temporal Score: 2.4

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/1/2024

Vulnerability Publication Date: 5/1/2024

Reference Information

CVE: CVE-2024-32882

cwe: CWE-280