EIQ-2020-0010



ID

EIQ-2020-0010

CVE

-

Description

Users with read-only permissions can delete objects from datasets

Date

16 Mar 2020

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.8.0

Assessment

A signed-in platform user without admin access rights, without modify permissions, and with read permissions only, can modify objects saved to datasets in the platform.

They cannot modify dataset properties and attributes.
However, if the user belongs to a group that is also a data source of one or more entities in a dataset, they can remove those entities from the dataset.

This scenario occurs because users can inherit permissions from the groups they belong to.
It is possible to assign groups as data sources for entities created in the platform; therefore, users with read-only permissions and who belong to groups that are also entity data sources can access these entities with read and modify permissions.

Mitigation

We are addressing this issue in a future planned release.
Until the issue is solved:

  • Restrict platform access to only trusted users.

  • Do not allow platform access to untrusted users or sources.

Affected versions

2.7.1 and earlier.

Notes

-

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

  • images/support.eclecticiq.com/secure/viewavatar.png EIQ-3597 - User with read-only permissions can delete objects from dataset CLOSED

  • TP 43916

< Back to all security issues and mitigation actions


In release notes 2.7.1

In release notes 2.8.0