EIQ-2022-0004

ID

EIQ-2022-0004

CVE

N/A

Description

The public API allows users with only ‘read knowledge-packs’ permissions to delete knowledge packs.

Date

2 Aug 2022

Severity

1 - LOW

CVSSv3 score

2.7

Status

images/download/attachments/86441855/clock.svg-x24.png In-progress

Assessment

Overview

Users with only read knowledge-packs permissions can delete knowledge packs from the IC by sending a DELETE /knowledge-packs/{id} request. Requirements

User with at least read knowledge-packs permissions.

To replicate:

  1. Create a user (e.g., a user with user name kp-reader) with only read knowledge-packs permissions.

  2. Make a GET request to retrieve the ID of any knowledge pack on the IC. You can do this by retrieving a single knowledge pack with:

    GET /knowledge-packs?limit=1&attributes=name,id
  3. Send a delete DELETE /knowledge-packs/{id} request. E.g.:

    DELETE /knowledge-packs/f5d14fe6-dbb5-4459-969d-805baebcfb07

Expected: The DELETE request should fail with a 401 Unauthorized error.

Actual: The knowledge pack is deleted.

Mitigation

Fix is planned.

Administrators should only assign read knowledge-packs permissions to users who need to manage knowledge packs.

Users do not need read knowledge-packs permissions to see content downloaded from a knowledge pack. Instead, they should be assigned permissions to access the objects produced by the knowledge packs (e.g. Group permissions, permissions to see workspaces, entities, etc.)

Affected versions

2.13.0 and earlier, with the public api v1.1.3 and earlier installed

Notes

N/A