EIQ-2021-0013#

ID

EIQ-2021-0013

CVE

-

Description

Users with only modify entities and read files permissions can access and export attachments from report entities they do not have access to.

Date

17 August 2021

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD

Status

✅ 2.11.0

Assessment

An attacker with these permissions:

  • modify entities

  • read files

Can:

  1. Create or modify a report entity (“Report_1”) they have access to.

  2. Send a PUT /private/entities/{id} request to modify that report entity.

    In the payload, specify the IDs of attachments to attach them to this report (“Report_1”). Specifically, enter the IDs of attachments that are attached to report entities that the attacker should not have access to.

  3. Once the request succeeds, the attacker can export their report (“Report_1”) as EclecticIQ JSON, and find the contents of those attachments embedded in the JSON as Base64 encoded strings.

Expected:

Users should not be able to access attachments from report entities that they are not authorized to access.

Mitigation

Planned fix where platform enforces permissions correctly.

Affected versions

2.10.x and earlier

Notes

N/A