Home > Vulnerability Database > CVE-2024-1314

Mend.io Vulnerability Database

CVE-2024-1314

Good to know:

Date: August 19, 2025

In kinto-attachment before 6.4.0 the attachment file of an existing record can be replaced if the user has "read" permission on one of the parent (collection or bucket), and if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request.

Language: Python

Severity Score

8.6

Related Resources (6)

Url: https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1

Url: https://bugzilla.mozilla.org/show_bug.cgi?id=1879034

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1314

Url: https://github.com/Kinto/kinto-attachment

Url: https://github.com/Kinto/kinto-attachment/security/advisories/GHSA-hvp4-vrv2-8wrq

Url: https://www.mend.io/vulnerability-database/CVE-2024-1314

Severity Score

8.6

Top Fix

Upgrade Version

Upgrade to version kinto-attachment - 6.4.0

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1314

Good to know:

Date: August 19, 2025

Language: Python

Severity Score

Related Resources (6)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?