Impact
Due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
Patches
Patched versions have been released as Wagtail 7.0.8, 7.3.3, 7.4.2.
Workarounds
For sites that cannot easily upgrade to a current supported version, the vulnerability can be patched by adding the following code to urls.py URL pattern declarations to override the vulnerable view.
from django.core.exceptions import PermissionDenied
from django.shortcuts import get_object_or_404
from django.urls import path
from wagtail.admin import urls as wagtailadmin_urls
from wagtail.images.permissions import permission_policy
from wagtail.images.views import preview
def patched_preview(request, image_id, filter_spec):
image = get_object_or_404(get_image_model(), id=image_id)
if not permission_policy.user_has_permission_for_instance(request.user, "change", image):
raise PermissionDenied
return preview(request, image_id, filter_spec)
urlpatterns = [
# Example where the CMS admin is at /admin/.
# Add this before the Wagtail admin URLs registration, with the same sub-path.
path("admin/images/<int:image_id>/preview/<str:filter_spec>/", patched_preview)
path("admin/", include(wagtailadmin_urls)),
]