EIQ-2020-0010#
ID |
EIQ-2020-0010 |
|---|---|
CVE |
- |
Description |
Users with read-only permissions can delete objects from datasets |
Date |
16 Mar 2020 |
Severity |
1 - LOW |
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
Status |
✅ 2.8.0 |
Assessment |
A signed-in platform user without admin access rights, without modify permissions, and with read permissions only, can modify objects saved to datasets in the platform. They cannot modify dataset properties and attributes. However, if the user belongs to a group that is also a data source of one or more entities in a dataset, they can remove those entities from the dataset. This scenario occurs because users can inherit permissions from the groups they belong to. It is possible to assign groups as data sources for entities created in the platform; therefore, users with read-only permissions and who belong to groups that are also entity data sources can access these entities with read and modify permissions. |
Mitigation |
We are addressing this issue in a future planned release. Until the issue is solved:
|
Affected versions |
2.7.1 and earlier. |
Notes |
- |