This advisory does describes a configuration that may cause unexpected behavior. It does not describe a traditional code vulnerability.

Summary

As of Registry v3.2.0, the ability the attach a Pipelines to an Enrollment Source has been supported. This configuration may not establish a CO Person in the way some administrators will expect. Specifically, if the Pipeline creates a new CO Person record, that record will immediately be considered Active. If the Enrollment Flow is designed to utilize other states, including Pending Approval, these states will never be triggered since the CO Person is already Active. (Depending on the configuration, a CO Person Role created by the Enrollment Flow will not necessarily immediately become Active.)

Severity

The severity of this issue is medium, as it requires CO Administrator permission to establish the described configuration.

Exposure

The exposure is expected to be low.

Recommended Mitigation

Deployments not using the described configuration need not take any action.

Deployments using the described configuration may upgrade to Registry v3.3.1 and set the Pipeline Sync Strategy setting New CO Person Status appropriately.

Alternate Mitigations

Deployments may reconfigure affected Enrollment Flows to not use the described configuration.

Deployments may review enrollments created by affected Enrollment Flows to verify records are created as intended.

Discussion

Pipelines and Enrollment Flows are designed to create CO Person records differently. Enrollment Flows typically progress an Enrollee through a number of states, such as CreatedPending ConfirmationPending Approval, and Active. Pipelines, on the other hand, are generally designed to work with backend systems, and new CO Person records created via this mechanism have only been created with Active status.

Over time, capabilities were added to allow Enrollment Flows to trigger Pipelines (indirectly, via Enrollment Sources) and for Pipelines to trigger Enrollment Flows (in a limited fashion). This has blurred the lines between the registration pattern each was intended to support. In most deployment models, Enrollment Sources run early in the Enrollment Flow, meaning any Pipelines that are triggered via the Enrollment Source will happen before the CO Person has completed the Enrollment Flow. As such, the Pipeline policy for establishing a CO Person status will typically take precedence over the Enrollment Flow. This isn't a bug, per se, but it is unintuitive and was not well documented.

Registry v3.3.1 adds a Pipeline configuration to specify the status given to a new CO Person created via the Pipeline. Keep in mind that it is possible for a Pipeline to link to an existing CO Person record. In that case, the original CO Person status may remain in effect.

References