EIQ-2021-0014#

ID

EIQ-2021-0014

CVE

-

Description

Users with only modify workspaces permissions can add or remove collaborators on a workspace they have access to

Date

17 August 2021

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD

Status

✅ 2.11.0

Assessment

An attacker with these permissions:

  • modify workspaces

  • read graphs (to avoid crashing the UI)

Can:

  1. Create a new user account for the attacker (“User_attacker”). This user should be the sole member of their group.

  2. Create an empty workspace (“Workspace_1”).

  3. Add the attacker (“User_attacker”) to the workspace (“Workspace_1”) as a collaborator.

  4. As the attacker (“User_attacker”), send a PUT /private/workspaces/{id} request.

    In the payload, send a list of users to add them to the workspace as collaborators:

    { "data": {
        "user_roles": [
          { "user": <user_id>,
            "role": "collaborator"
            },
          { ... }
        ]
      }
    }
    

Expected:

Users should only be able to add user accounts they can access to their workspaces as collaborators.

Mitigation

Planned fix where platform enforces permissions correctly.

Affected versions

2.10.x and earlier

Notes

N/A