GHSA-pcpm-vc4v-cmvx: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-pcpm-vc4v-cmvx) affects eZ Platform's role assignment functionality, discovered and disclosed on November 10, 2022. The issue affects eZ Platform versions v1.5., v2.3., and Ibexa DXP versions v3.3., v4.2., with patches released in versions v1.5.29, v2.3.26, and Ibexa DXP v3.3.28, v4.2.3 respectively. The vulnerability allows users with the Company admin role or those having role/assign policy to assign any role to any user, bypassing intended subtree limitations (GitHub Advisory, Ibexa Advisory).

The vulnerability stems from a failure in the subtree limitation mechanism for role assignment policies. When a user has the role/assign policy, the system fails to enforce any configured subtree limitations, effectively allowing unrestricted role assignments. This particularly affects the Company admin role introduced in v4 of the platform, but extends to any user with role assignment capabilities (Ibexa Advisory).

The vulnerability allows affected users to assign any role to any user within the system, bypassing intended hierarchical restrictions. While this capability is typically limited to administrators, installations where role assignment permissions are more broadly distributed could face significant security implications through unauthorized privilege escalation (GitHub Advisory).

The vulnerability has been patched in eZ Platform versions v1.5.29, v2.3.26, and Ibexa DXP versions v3.3.28, v4.2.3. Organizations should immediately upgrade to these versions or later to ensure subtree limitations are properly enforced. Additionally, it is recommended to audit existing role assignments and verify which users have role assignment capabilities in their installation (GitHub Advisory, Ibexa Advisory).