This advisory does describes a configuration that may cause unexpected behavior. It does not describe a traditional code vulnerability.

Summary

Registry v0.5 introduced the ability to attach a Sponsor to a CO Petition. In order to provide self service Petitioners the ability to select a Sponsor, all possible Sponsors must be made available to the Petitioner, typically via an HTML select. Whether this is considered an issue will depend on the organization's attribute release and privacy policies, and if self service enrollments are enabled.

Affected configurations require an Enrollment Flow with Petitioner Enrollment Authorization set to None or Unauthenticated User, and Sponsor enabled as an attribute to be collected.

Severity

The severity of this issue is very high, if an appropriate configuration is in use.

Exposure

The exposure will vary according to the organization's policies and configuration.

Recommended Mitigation

Deployments not using the described configuration need not take any action.

Deployments using the described configuration should review the Privacy Considerations During Enrollment section of Sponsors and Managers to determine appropriate actions, if any.

Alternate Mitigations

Multiple mitigations are described in the Privacy Considerations During Enrollment section of Sponsors and Managers.

Discussion

How much of a concern an affected configuration should cause will depend on the organization's policies. For example, a small virtual organization that already publishes a full list of its membership online is effectively unaffected by this discussion, as the information provided for Sponsor selection is already public. On the other hand, a University concerned about FERPA compliance may wish to prevent FERPA-suppressed students from being available as Sponsors for anonymous or authenticated enrollments.

References

• CO-2148