Impact
Tests found 3 issues where users have more permissions than they should have:
- Jira configurations can be viewed and edited by every staff user, when they know the URLs of the dialogues within the UI. With the API this is only allowed for superusers, which is the desired behaviour as the user can view or edit the the credentials of Jira.
- Every staff user can view every
Jira_Product configuration and every Jira_Issue with the API. That shall be restricted to the products the user is allowed to see. Although these 2 classes consists mainly of ID's, the Jira project key might reveal sensitive information.
- Every staff user can view every
Object_Product (which are Product Tracking Files in the UI), when they know the URLs of the dialogues. That shall be restricted to the products the user is allowed to see
- Every staff user can view every
Tool_Product_Settings and Note with the API. That shall be restricted to the products the user is allowed to see.
Patches
The issues have been patched with release 2.6.0
- Jira configurations can only be viewed and edited by superusers. If you think Jira credentials have been compromised by staff users, you should change these credentials.
- Only users with a Reader role can view
Jira_Product and Jira_Issue objects for the respective Products. To edit Jira_Products on Product level users need to be at least Maintainer, to edit Jira_Products on Engagement level or Jira_Issues users need to be at least Writer.
- To view or edit
Object_Product, users need a Reader respectively a Maintainer role.
- Only users with a Reader role can view
ToolProductSettings objects for the respective Products. To edit Jira_Products on Product level users need to be at least Maintainer.
- Due to implementation details, the object-based authorization can not easily be implemented for
Notes in the API. Therefore access to Notes via the API has been restricted to superusers.
For more information
If you have any questions or comments about this advisory:
Impact
Tests found 3 issues where users have more permissions than they should have:
Jira_Productconfiguration and everyJira_Issuewith the API. That shall be restricted to the products the user is allowed to see. Although these 2 classes consists mainly of ID's, the Jira project key might reveal sensitive information.Object_Product(which are Product Tracking Files in the UI), when they know the URLs of the dialogues. That shall be restricted to the products the user is allowed to seeTool_Product_SettingsandNotewith the API. That shall be restricted to the products the user is allowed to see.Patches
The issues have been patched with release 2.6.0
Jira_ProductandJira_Issueobjects for the respective Products. To editJira_Productson Product level users need to be at least Maintainer, to editJira_Products on Engagement level orJira_Issues users need to be at least Writer.Object_Product, users need a Reader respectively a Maintainer role.ToolProductSettingsobjects for the respective Products. To editJira_Productson Product level users need to be at least Maintainer.Notesin the API. Therefore access toNotesvia the API has been restricted to superusers.For more information
If you have any questions or comments about this advisory: