From 9050a521a95f0d8a9fdb973b2b8e146a15be1498 Mon Sep 17 00:00:00 2001
From: sampion88 <sammaertens@gmail.com>
Date: Fri, 24 Jan 2025 15:00:18 +0100
Subject: [PATCH] new vulnerability in django-guardian

---
 input/new.json | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/input/new.json b/input/new.json
index 87646b9..e4f4478 100644
--- a/input/new.json
+++ b/input/new.json
@@ -1,15 +1,24 @@
 {
-  "package_name": "",
-  "patch_versions": [],
-  "vulnerable_ranges": [],
-  "cwe": [],
-  "tldr": "",
-  "doest_this_affect_me": "",
-  "how_to_fix": "",
-  "vulnerable_to": "",
+  "package_name": "django-guardian",
+  "patch_versions": [
+    "3.0.0rc1"
+  ],
+  "vulnerable_ranges": [
+    [
+      "1.0.0",
+      "2.4.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-285"
+  ],
+  "tldr": "Affected versions of this package fail to properly enforce checks for guardian permissions, making both `GuardedModelAdminMixin` and `GuardedModelAdmin` unsafe. Any user who accesses the paths provided by `GuardedModelAdminMixin` can view, add, change, and delete guardian permissions for any user, regardless of whether the current user has the necessary guardian permissions. This vulnerability allows unauthorized users to manipulate permissions, potentially compromising the security and integrity of the system.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `django-guardian` library to the patch version.",
+  "vulnerable_to": "Improper Authorization",
   "related_cve_id": "",
-  "language": "",
-  "severity_class": "",
-  "aikido_score": 0,
-  "changelog": ""
+  "language": "python",
+  "severity_class": "HIGH",
+  "aikido_score": 70,
+  "changelog": "https://github.com/django-guardian/django-guardian/releases/tag/3.0.0rc1"
 }