Plane is an an open-source project management tool. Prior to version 1.2.2, the `ProjectAssetEndpoint.patch()` method in `apps/api/plane/app/views/asset/v2.py` (lines 579–593) performs a global asset lookup using only the asset ID (`pk`) via `FileAsset.objects.get(id=pk)`, without verifying that the asset belongs to the workspace and project specified in the URL path. This allows any authenticated user (including those with the GUEST role) to modify the `attributes` and `is_uploaded` status of assets belonging to any workspace or project in the entire Plane instance by guessing or enumerating asset UUIDs.
Version 1.2.2 fixes the issue.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 3
https://github.com/makeplane/plane/commit/9070acbbe81bc02db5c169789da6862d5fc35…
security-advisories@github.com
https://github.com/makeplane/plane/releases/tag/v1.2.2
security-advisories@github.com
https://github.com/makeplane/plane/security/advisories/GHSA-rfj3-8c85-g46j
security-advisories@github.com