EIQ-2020-0001#

ID

EIQ-2020-0001

CVE

-

Description

A signed-in user can view saved graph thumbnails

Date

09 Jan 2020

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.7.0

Assessment

A signed-in platform user without admin access rights can view the thumbnail of a graph saved to an unlisted workspace, regardless of the user being a collaborator of the unlisted workspace or not.

To do so, a signed-in platform user must have the ID of the graph whose thumbnail they want to access.

A graph ID is the numeric value assigned to the graph-editor URL parameter.

Example: https://${platform_host_name}/main/intel/workspaces/3?graph-editor=13

In the example URL 3 is the workspace ID, and 13 the graph ID.

To access a thumbnail by graph ID:

  • Sign in to the platform to access the GUI.

  • In the browser address bar, enter https://${platform_host_name}/private/graphs/${graph_id}/thumbnail

  • Replace ${graph_id} with the actual ID value of the graph whose thumbnail you want to access.

    For example: https://${platform_host_name}/private/graphs/13/thumbnail

    In the example URL 13 is the graph ID.

  • The corresponding graph is displayed as a thumbnail in .png format.

The .png image size and the low thumbnail image resolution do not enable leveraging graph content acquired in this way.

We plan to enforce user access check for saved graphs at private API level from release 2.7.0.

Mitigation

Upgrade to EclecticIQ Platform 2.7.0 or later.

Affected versions

2.6.0 and earlier.

Notes

-