]> BookStack Code Mirror - website/blob - content/blog/2021/security-release-v21-11-2.md
projects / website / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Actualiser content/docs/admin/installation.md
[website] / content / blog / 2021 / security-release-v21-11-2.md
1 +++
2 categories = ["Releases"]
3 tags = ["Releases"]
4 title = "BookStack Security Release v21.11.2"
5 date = 2021-11-30T14:15:00Z
6 author = "Dan Brown"
7 image = "/images/blog-cover-images/unsplash/lock-gina-neri.jpg"
8 slug = "bookstack-release-v21-11-2"
9 draft = false
10 +++
11
12 BookStack v21.11.2 has been released.
13 This is a security release that address a couple of vulnerabilities relating to API access
14 and page draft related content visibility:
15
16 - If the "Public" role was provided API access then the API could be accessed, in certain scenarios,
17   by non-authenticated users even if the "Allow public access" setting was disabled.
18 - In some specific scenarios, content related to page drafts (Such as attachments) could be visible
19   to non-owners (Whom would have permission to view the page if saved  as a non-draft at that point).
20
21 It's advised to upgrade as soon as possible if the API has been enabled for roles within your instance
22 or if draft page content visibility could be a security concern for you.
23
24 * [Update instructions](https://www.bookstackapp.com/docs/admin/updates)
25 * [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v21.11.2)
26
27
28 ### Full List of Changes
29
30 * Fixed issue with greater-than-expected visibility on page-draft-related items. Thanks @haxatron for reporting. ([#3086](https://github.com/BookStackApp/BookStack/issues/3086))
31 * Fixed issue where public API access was not limited by system public control in certain conditions. ([#3091](https://github.com/BookStackApp/BookStack/issues/3091))
32 * Updated translations from latest Crowdin changes. ([#3076](https://github.com/BookStackApp/BookStack/pull/3076))
33
34 ### For More Information
35
36 If you have any questions or comments about this advisory:
37 * Open an issue in [the BookStack GitHub repository](https://github.com/BookStackApp/BookStack/issues).
38 * Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).
39 * Follow the [BookStack security policy](https://github.com/BookStackApp/BookStack/blob/development/.github/SECURITY.md) to contact someone privately.
40
41 ----
42
43 <span style="font-size: 0.8em;opacity:0.9;">Header Image Credits: <span>Photo by <a href="https://unsplash.com/@gneri1713?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Gina Neri</a> on <a href="https://unsplash.com/?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span></span>
The source for the BookStack website, docs and blog.