The Silverstripe Assets Module, a core component of the Silverstripe Framework, contains an incorrect authorization vulnerability (CWE-863) in versions before 2.4.5 and between 3.0.0-rc1 and 3.1.2. When images are rendered in templates or accessed via DBFile::getURL() or DBFile::getSourceURL(), an access grant is improperly added to the current session, allowing bypass of intended file permissions. This behavior is commonly triggered when creating image variants through manipulation methods such as ScaleWidth() or Convert(). Developers using DBFile directly for DataObject classes not subclassing File and setting file visibility to "protected" must now explicitly provide access grants. The issue is resolved in Silverstripe Assets versions 2.4.5 and 3.1.3.

The vulnerability allows unauthorized access to files that should be protected by file permissions, potentially exposing sensitive images or assets. The CVSS score of 5.3 (medium severity) reflects a network attack vector with low complexity and no privileges or user interaction required, resulting in limited confidentiality impact without affecting integrity or availability.

This vulnerability is fixed in Silverstripe Assets versions 2.4.5 and 3.1.3. Users should upgrade to these or later versions to remediate the issue. Developers who use DBFile directly for DataObject classes with protected visibility must explicitly grant access to those files or change file visibility to "public" if they want default accessibility. Patch status is not explicitly stated in the vendor advisory, but the fix is included in the specified versions.