Panel | |
---|---|
|
Summary
Registry v3.3.0 introduced CO-specific API users, which can be either privileged (having full access to the CO via the API) or unprivileged (having no specific access unless granted). Certain foreign keys were not properly validated within some APIs, resulting in the potential for data leakage.
...
The severity of this issue is medium, as a privileged API user is required to leak data.
Exposure
The exposure will generally be low, as this advisory only meaningfully affects multi-tenant deployments, and only those that have enabled CO-specific API users.
Recommended Mitigation
Deployments not using the described configuration need not take any action, though should plan an upgrade as soon as plausible in case CO-specific API users are created later.
...
Deployments may also perform an audit, as described in Discussion, below.
Alternate Mitigations
Deployments may alternately disable any privileged CO-specific API users until an upgrade can be performed.
Discussion
Registry v3.3.0 introduced CO-specific API users, which can be either privileged (having full access to the CO via the API) or unprivileged (having no specific access unless granted). Previously, the REST API was only available to platform-wide superusers.
...
Tables to examine include cm_co_person_roles
.
References
- CO-2146
- CO-2294