Users could create entities in Source Groups indirectly assigned through Groups, instead of only being able to create entities in Groups they are directly assigned to.


05 March 2021


1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.


images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.9.2


A user could create entities and observables in a Source Group that:

  1. is one of the Allowed sources set for their assigned user groups,

  2. but is not a Group that they actually belong to.

Instead, users should only be able to read data from allowed sources but not write to them. For more information on user permissions, see User permissions.

The issue is caused by the way the platform handles a user's assigned permissions for groups and allowed sources.

This only affects user write permissions to data sources they should only have read-only permissions for. Users cannot delete or overwrite existing data in these sources, reducing the severity of this advisory.

Replicate this issue by sending a POST request to the /private/entities endpoint to create a new entity. The POST payload should set the entity's .source.id attribute to the id of a Source group that fulfills the conditions above.


This vulnerability is addressed in EclecticIQ Platform 2.10.0 by correctly restricting a user's write permissions to assigned Groups only, instead of allowing entity creation on Allowed sources.

Affected versions

2.9.1 and earlier.



images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions

In release notes 2.10.0

In release notes 2.9.2

In release notes 2.9.1