This advisory does describes a configuration that may cause unexpected behavior. It does not describe a traditional code vulnerability.
| Panel | |
|---|---|
|
Summary
As of Registry v3.2.0, the ability the attach a Pipelines to an Enrollment Source has been supported. This configuration may not establish a CO Person in the way some administrators will expect. Specifically, if the Pipeline creates a new CO Person record, that record will immediately be considered Active. If the Enrollment Flow is designed to utilize other states, including Pending Approval, these states will never be triggered since the CO Person is already Active. (Depending on the configuration, a CO Person Role created by the Enrollment Flow will not necessarily immediately become Active.)
...
The severity of this issue is medium, as it requires CO Administrator permission to establish the described configuration.
Exposure
The exposure is expected to be low.
Recommended Mitigation
Deployments not using the described configuration need not take any action.
Deployments using the described configuration may upgrade to Registry v3.3.1 and set the Pipeline Sync Strategy setting New CO Person Status appropriately.
Alternate Mitigations
Deployments may reconfigure affected Enrollment Flows to not use the described configuration.
Deployments may review enrollments created by affected Enrollment Flows to verify records are created as intended.
Discussion
Pipelines and Enrollment Flows are designed to create CO Person records differently. Enrollment Flows typically progress an Enrollee through a number of states, such as Created, Pending Confirmation, Pending Approval, and Active. Pipelines, on the other hand, are generally designed to work with backend systems, and new CO Person records created via this mechanism have only been created with Active status.
...
Registry v3.3.1 adds a Pipeline configuration to specify the status given to a new CO Person created via the Pipeline. Keep in mind that it is possible for a Pipeline to link to an existing CO Person record. In that case, the original CO Person status may remain in effect.
References
- CO-2021