Impact
Several APIs are affected:
- Shared files API:
/secure/api/sharedfile/* and /secure/api/resourceExplorer/*
- API token management:
/secure/api/apiaccounts/*
- Event logs:
/secure/api/eventlog/*
- Completion:
/secure/api/completion/*
Accessing these API requires a valid Rudder account, but no specific rights, meaning that a user with no or read-only rights can use them, and take control of the infrastructure (either by creating a privileges token, or chaining with GHSA-jjfq-p8xw-53g2).
Only actual user accounts are affected, not standalone API tokens.
Patches
- #4957: Adds the required ACLs
Workarounds
None.
References
Impact
Several APIs are affected:
/secure/api/sharedfile/*and/secure/api/resourceExplorer/*/secure/api/apiaccounts/*/secure/api/eventlog/*/secure/api/completion/*Accessing these API requires a valid Rudder account, but no specific rights, meaning that a user with no or read-only rights can use them, and take control of the infrastructure (either by creating a privileges token, or chaining with GHSA-jjfq-p8xw-53g2).
Only actual user accounts are affected, not standalone API tokens.
Patches
Workarounds
None.
References