BookStack Code Mirror - website/blob - content/blog/beta-security-release-v0-29-3.md

1 +++

2 categories = ["Releases"]

3 tags = ["Releases"]

4 title = "Beta Security Release v0.29.3"

5 date = 2020-05-12T22:30:00Z

6 author = "Dan Brown"

7 image = "/images/blog-cover-images/locks-shogo-narita.jpg"

8 description = "This v0.29.3 security release fixes an issue that exposes book names when viewed via the shelves page"

9 slug = "beta-release-v0-29-3"

10 draft = false

11 +++

12

13 BookStack v0.29.3 has been released to address an issue that could expose the names of private/restricted books.

14

15 * [Update instructions](https://www.bookstackapp.com/docs/admin/updates)

16 * [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v0.29.3)

17

18 ### Impact

19

20 The name of a restricted book could be viewed by non-authorised users when the book was on a shelf, and the shelves were viewed in "List View". This could expose book names to those that did not have permission to see them, when part of a shelf.

21

22 ### Patches

23

24 This has been patched in version v0.29.3.

25

26 ### Workarounds

27

28 Please update otherwise you could temporarily change the name of any private books to remove any sensitive content.

29

30 ### References

31

32 * [BookStack Beta v0.29.3](https://github.com/BookStackApp/BookStack/releases/tag/v0.29.3)

33 * [GitHub Security Advisory](https://github.com/BookStackApp/BookStack/security/advisories/GHSA-c32x-84w6-5mxq)

34 * [GitHub Issue #2111](https://github.com/BookStackApp/BookStack/issues/2111)

35

36 ### Attribution

37

38 * Thanks to [GitHub user Usinouv](https://github.com/BookStackApp/BookStack/issues/2111) for discovering and reporting this issue.

39

40 ### More Information

41

42 If you have any questions or comments about this advisory:

43 * Open an issue in [the BookStack GitHub repository](https://github.com/BookStackApp/BookStack/issues).

44 * Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).

45 * Follow the [BookStack Security Advice](https://github.com/BookStackApp/BookStack#-security) to contact someone privately.

46

47

48 ----

49

50 <span style="font-size: 0.8em;opacity:0.8;">Header Image Credits:   <a style="background-color:black;color:white;text-decoration:none;padding:4px 6px;font-family:-apple-system, BlinkMacSystemFont, "San Francisco", "Helvetica Neue", Helvetica, Ubuntu, Roboto, Noto, "Segoe UI", Arial, sans-serif;font-size:12px;font-weight:bold;line-height:1.2;display:inline-block;border-radius:3px" href="https://unsplash.com/@blackwood_castle" target="_blank" rel="noopener noreferrer" title="Shogo Narita"><span style="display:inline-block;padding:2px 3px"><svg xmlns="http://www.w3.org/2000/svg" style="height:12px;width:auto;position:relative;vertical-align:middle;top:-2px;fill:white" viewBox="0 0 32 32"><title>unsplash-logo</title><path d="M10 9V0h12v9H10zm12 5h10v18H0V14h10v9h12v-9z"></path></svg></span><span style="display:inline-block;padding:2px 3px">Shogo Narita</span></a></span>