EIQ-2018-0020
|
ID |
EIQ-2018-0020 (Former ref.: 27577) |
|
CVE |
- |
|
Description |
Access to data sources through the API |
|
Date |
- |
|
Severity |
3 - HIGH |
|
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
|
Status |
|
|
Assessment |
A user with the modify groups permission and without the read sources permission can view data sources they do not have access to. Using API calls, a user with the above permissions can also assign data sources to themselves or to other users. This enables users to access and to apply actions on platform data that would normally not be accessible to them. |
|
Mitigation |
Permissions should allow users to access only the allowed data sources of the groups they are members of. |
|
Affected versions |
2.3.2 to 2.4.0 included. |
|
Notes |
- |
2.5.0< Back to all security issues and mitigation actions
In release notes 2.5.0