EIQ-2021-0010

ID

EIQ-2021-0010

CVE

-

Description

Users with only modify files permissions can move files from their workspace to other workspaces they don’t have access to.

Date

17 August 2021

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.11.0

Assessment

An attacker with:

  • Only modify files permissions

  • Access to one workspace (“Workspace 1”) as a “Collaborator”

can send files from “Workspace 1” to others private workspaces by sending a PUT /private/files/{id} request and specifying the ID of a workspace they do not have access to in the payload.

Expected:

User should only be able to attach files to workspaces that they are at least a “Collaborator” on.

Mitigation

Planned fix, where platform enforces permissions correctly.

Affected versions

2.10.x and earlier

Notes

N/A

< Back to all security issues and mitigation actions

In release notes 2.10.1