EIQ-2019-0034#

ID	EIQ-2019-0034
CVE	-
Description	A private API endpoint could provide access to unauthorized data sources
Date	27 Sep 2019
Severity	0 - UNKNOWN
CVSSv3 score	CVSSv3 score not available on NIST NVD.
Status	✅ 2.6.0
Assessment	The `/private/entity-groups/${group_uuid}` platform private API endpoint does not properly check source access permissions. This could enable a platform user to access platform resources they could normally not be able to access with the roles and permissions they are currently assigned. A signed-in user with at least the read entities permission, and without admin access rights, could use a command line HTTP client to send a request to the endpoint, and to download entities originating from the same ingested package. A signed-in platform user with the read entities permission could retrieve a group UUID from a pinned entity on a shared workspace, for example. Then, they could include the retrieved group UUID as a URL parameter, and they could send a cURL request to `/private/entity-groups/${group_uuid}`. This would give them access to ingested packages having the group as a data source, and to the entities included in the packages.
Mitigation	None at this time.
Affected versions	2.5.0 and earlier.
Notes	-