Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Machine update process doesn't check that the user has access to all environments #4073

Closed
pawelpabich opened this issue Dec 13, 2017 · 2 comments
Assignees
Milestone

Comments

@pawelpabich
Copy link

pawelpabich commented Dec 13, 2017

Let's consider the following scenario. A machine that is scoped to two environments: Env1, Env2 and an authenticated user that has access to Env1 and Env3. The user can add Env3 to the machine scope even though they don't have access to Env2.

CVE-2017-17665

@pawelpabich
Copy link
Author

pawelpabich commented Dec 13, 2017

Release Note: Fixed security vulnerability in Machine update process by checking that the user has access to all environments

@lock
Copy link

lock bot commented Nov 24, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 24, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants