EIQ-2018-0020



ID

EIQ-2018-0020

(Former ref.: 27577)

CVE

-

Description

Access to data sources through the API

Date

-

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.5.0

Assessment

A user with the modify groups permission and without the read sources permission can view data sources they do not have access to.

Using API calls, a user with the above permissions can also assign data sources to themselves or to other users.

This enables users to access and to apply actions on platform data that would normally not be accessible to them.

Mitigation

Permissions should allow users to access only the allowed data sources of the groups they are members of.

Affected versions

2.3.2 to 2.4.0 included.

Notes

-

< Back to all security issues and mitigation actions

In release notes 2.5.0