EIQ-2021-0010#

ID

EIQ-2021-0010

CVE

-

Description

Users with only modify files permissions can move files from their workspace to other workspaces they don’t have access to.

Date

17 August 2021

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD

Status

✅ 2.11.0

Assessment

An attacker with:

  • Only modify files permissions

  • Access to one workspace (“Workspace 1”) as a “Collaborator”

can send files from “Workspace 1” to others private workspaces by sending a PUT /private/files/{id} request and specifying the ID of a workspace they do not have access to in the payload.

Expected:

User should only be able to attach files to workspaces that they are at least a “Collaborator” on.

Mitigation

Planned fix, where platform enforces permissions correctly.

Affected versions

2.10.x and earlier

Notes

N/A