EIQ-2021-0007#

ID

EIQ-2021-0007

CVE

-

Description

Users could create entities in Source Groups indirectly assigned through Groups, instead of only being able to create entities in Groups they are directly assigned to.

Date

05 March 2021

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.9.2

Assessment

A user could create entities and observables in a Source Group that:

  • is one of the Allowed sources set for their assigned user groups,

  • but is not a Group that they actually belong to.

Instead, users should only be able to read data from allowed sources but not write to them. For more information on user permissions, see User permissions.

The issue is caused by the way the platform handles a user’s assigned permissions for groups and allowed sources.

This only affects user write permissions to data sources they should only have read-only permissions for. Users cannot delete or overwrite existing data in these sources, reducing the severity of this advisory.

Replicate this issue by sending a POST request to the /private/entities endpoint to create a new entity. The POST payload should set the entity’s .source.id attribute to the id of a Source group that fulfills the conditions above.



Mitigation

This vulnerability is addressed in EclecticIQ Platform 2.10.0 by correctly restricting a user’s write permissions to assigned Groups only, instead of allowing entity creation on Allowed sources.

Affected versions

2.9.1 and earlier.

Notes

n.a.