EIQ-2020-0007#

ID

EIQ-2020-0007

CVE

-

Description

A signed-in user can gain unauthorized access to workspaces

Date

10 Feb 2020

Severity

4 - CRITICAL

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.7.0

Assessment

A signed-in platform user without admin access rights, and with at least the modify workspaces permission can gain unauthorized access to any platform workspaces, even if the user is not a workspace collaborator.

To do so, a signed-in platform user must have the ID of the workspace they want to access.

User roles and group roles are not validated correctly in the backend.

This enables a user to send POST and PUT requests with the ID of the workspace they want to access in the request body.

We plan to implement stricter backend checking for user roles and group roles from release 2.7.0 to intercept and to block unauthorized workspace access through POST and PUT requests that try to pass tampered request body data.

Mitigation

Upgrade to EclecticIQ Platform 2.7.0 or later.

Affected versions

2.6.0 and earlier.

Notes

-