EIQ-2021-0011#

ID

EIQ-2021-0011

CVE

-

Description

Users without direct assignment to a listed workspace can view details they should not see.

Date

17 August 2021

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD

Status

✅ 2.11.0

Assessment

Workspaces have two visibility states:

  • Listed: Workspace name and description is available for all users who have at least read workspaces permissions.

  • Unlisted: Workspace is only visible to users and groups it is shared with.

An attacker with only read workspaces permissions can view details in Listed workspaces that they should not be able to access, such as the workspace’s:

  • Comments (requires read workspace-comments)

  • History (requires read history-events)

  • Tasks (requires read tickets)

  • Task comments (requires read ticket-comments)

  • etc.

Expected:

Users who are not at least a collaborator on a Listed workspace should only be able to see the title and description of that workspace.

Mitigation

Planned fix where platform enforces permissions correctly. Information leak requires a specific chain of permissions, and can be prevented by unlisting workspaces that cannot afford to leak that information.

Affected versions

2.10.x and earlier

Notes

N/A