EIQ-2020-0008

EIQ-2020-0008

-

A signed-in user can access any datasets by adding them to workspaces they can access

20 Feb 2020

1 - LOW

CVSSv3 score not available on NIST NVD.

2.7.0

A signed-in platform user without admin access rights, and with at least the modify workspaces permission can gain unauthorized access to any platform datasets, regardless of their group memberships, permissions, and user access level.
To do so, a signed-in platform user must:

• Have the intel_sets IDs of the datasets they want to gain access to.

• Be able to intercept platform frontend requests to the backend to manipulate request bodies.

If a user has the IDs of the datasets they want to access, they can do the following:

• Open an unlisted workspace they are either the owner, or a collaborator of.

• Edit the workspace.

• Save the changes.

• Intercept the save workspace request.

• Browse to the intel_sets JSON field in the request body.
  Its value is an array, where each array member corresponds to an ID value identifying a platform dataset.

• Modify the members of the intel_sets array to include valid IDs of the datasets they want to gain access to.

• Send the request with the modified body.

This enables users to:

• Edit datasets by adding new entities to them.

• Delete datasets.

The exploit does not enable users to gain unauthorized access to any entities in these datasets.
They can view and access entities based on their designated user roles and group memberships.

However, it enables users to create new entities, and to add them to these datasets.
If such a dataset is a data source for the content of an outgoing feed, it is possible to disseminate these entities through the feed.

We plan to implement stricter backend checking for user roles, group roles, and permissions from release 2.7.0 to intercept and to block unauthorized dataset access through POST and PUT requests that try to pass tampered request body data.

Upgrade to EclecticIQ Platform 2.7.0 or later.

2.6.0 and earlier.

-