Assessment |
Overview
Users with only read knowledge-packs permissions can delete knowledge packs from the IC by sending a DELETE /knowledge-packs/{id} request.
Requirements
User with at least read knowledge-packs permissions.
To replicate:
Create a user (e.g., a user with user name kp-reader)
with only read knowledge-packs permissions. Make a GET request to retrieve the ID of any knowledge pack on the IC.
You can do this by retrieving a single knowledge pack with:
GET /knowledge-packs?limit=1&attributes=name,id
Send a delete DELETE /knowledge-packs/{id} request. E.g.:
DELETE /knowledge-packs/f5d14fe6-dbb5-4459-969d-805baebcfb07
Expected: The DELETE request should fail with a 401 Unauthorized error.
Actual: The knowledge pack is deleted.
|
|---|
Mitigation |
Fix is planned.
Administrators should only assign read knowledge-packs permissions to users who need to manage knowledge packs.
Users do not need read knowledge-packs permissions to see content downloaded from a knowledge pack. Instead, they should be assigned permissions to access the objects produced by the knowledge packs (e.g. Group permissions, permissions to see workspaces, entities, etc.)
|
|---|