EIQ-2018-0020#

ID

EIQ-2018-0020

(Former ref.: 27577)

CVE

-

Description

Access to data sources through the API

Date

-

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.5.0

Assessment

A user with the modify groups permission and without the read sources permission can view data sources they do not have access to.

Using API calls, a user with the above permissions can also assign data sources to themselves or to other users.

This enables users to access and to apply actions on platform data that would normally not be accessible to them.

Mitigation

Permissions should allow users to access only the allowed data sources of the groups they are members of.

Affected versions

2.3.2 to 2.4.0 included.

Notes

-