EIQ-2021-0015

ID

EIQ-2021-0015

CVE

-

Description

Users with only modify workspace-comments and read workspace permissions can edit and delete comments in workspaces where they are set as a collaborator.

Date

22 September 2021

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD

Status

images/download/attachments/86441875/clock.svg-x24.png Planned

Assessment

An attacker with:

  • modify workspace-comments permissions

  • read workspaces permissions

  • is in a workspace (“Workspace 1”) shared with at least one other user (“User 2”)

can edit and delete any comment on a workspace (“Workspace 1”) as long as they are a collaborator on that workspace.

If the other user (“User 2”) writes a comment (“Comment 1”) in that workspace (“Workspace 1”), the attacker can change that comment by sending:

  • A PUT /private/workspace-comments/{id} request, with the following payload:

    {"data": {"text": "<change comment to this text>"}}

    to change the text of that comment to “<change comment to this text>”.

  • A DELETE /private/workspace-comments/{id} to delete that task comment.

Expected:

Users should not be able to modify comments that they did not write.

Mitigation

Planned fix, where platform enforces permissions correctly.

Affected versions

2.10.x and earlier

Notes

N/A

< Back to all security issues and mitigation actions

In release notes 2.11.0