EIQ-2022-0004

ID	EIQ-2022-0004
CVE	N/A
Description	The public API allows users with only ‘read knowledge-packs’ permissions to delete knowledge packs.
Date	2 Aug 2022
Severity	1 - LOW
CVSSv3 score	2.7
Status	In-progress
Assessment	Overview Users with only `read knowledge-packs` permissions can delete knowledge packs from the IC by sending a `DELETE /knowledge-packs/{id}` request. Requirements User with at least `read knowledge-packs` permissions. To replicate: Create a user (e.g., a user with user name `kp-reader`) with only `read knowledge-packs` permissions. Make a GET request to retrieve the ID of any knowledge pack on the IC. You can do this by retrieving a single knowledge pack with: `GET` `/knowledge-packs?limit=1&attributes=name,id` Send a delete `DELETE /knowledge-packs/{id}` request. E.g.: `DELETE` `/knowledge-packs/f5d14fe6-dbb5-4459-969d-805baebcfb07` Expected: The `DELETE` request should fail with a `401 Unauthorized` error. Actual: The knowledge pack is deleted.
Mitigation	Fix is planned. Administrators should only assign `read knowledge-packs` permissions to users who need to manage knowledge packs. Users do not need `read knowledge-packs` permissions to see content downloaded from a knowledge pack. Instead, they should be assigned permissions to access the objects produced by the knowledge packs (e.g. Group permissions, permissions to see workspaces, entities, etc.)
Affected versions	2.13.0 and earlier, with the public api v1.1.3 and earlier installed
Notes	N/A