EIQ-2019-0034



ID

EIQ-2019-0034

CVE

-

Description

A private API endpoint could provide access to unauthorized data sources

Date

27 Sep 2019

Severity

0 - UNKNOWN

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.6.0

Assessment

The /private/entity-groups/${group_uuid} platform private API endpoint does not properly check source access permissions. This could enable a platform user to access platform resources they could normally not be able to access with the roles and permissions they are currently assigned.

A signed-in user with at least the read entities permission, and without admin access rights, could use a command line HTTP client to send a request to the endpoint, and to download entities originating from the same ingested package.

A signed-in platform user with the read entities permission could retrieve a group UUID from a pinned entity on a shared workspace, for example.
Then, they could include the retrieved group UUID as a URL parameter, and they could send a cURL request to /private/entity-groups/${group_uuid} .
This would give them access to ingested packages having the group as a data source, and to the entities included in the packages.

Mitigation

None at this time.

Affected versions

2.5.0 and earlier.

Notes

-

< Back to all security issues and mitigation actions


In release notes 2.5.0

In release notes 2.6.0