CVE-2021-4026: 
PHP vulnerability analysis and mitigation

CVE-2021-4026 is a vulnerability affecting BookStack, identified as an Improper Access Control issue. The vulnerability was discovered and disclosed in November 2021, affecting BookStack versions up to (excluding) 21.11.2. This security flaw relates to permission handling in the application (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue is classified under CWE-863 (Incorrect Authorization) and involves improper access control mechanisms in the application. An alternative assessment by huntr.dev assigned a CVSS score of 6.5 (MEDIUM) with vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows unauthorized access to certain resources within BookStack, potentially exposing sensitive information. The impact is primarily focused on confidentiality, with no direct effect on integrity or availability of the system (NVD).

The vulnerability was addressed through a patch that fixes the related permissions query to consider drafts properly. The fix was implemented in commit b4fa82e, which alters queries on related items to apply proper filtering for draft visibility. Users should upgrade to BookStack version 21.11.2 or later to resolve this vulnerability (GitHub Patch).