Unauthorized Process Execution for Authenticated Organizations #406

hhund · 2023-06-29T08:32:46Z

Affected Versions: <= 0.9.1

Description: Do to a flaw in the Task authorization rule, users authenticated via a valid client certificate from trusted certificate authorities and a corresponding entry in the local DSF allow-list, are able to execute processes that should otherwise not be allowed via the ActivityDefinition authorization extension of the process.

Workaround: Disable access for untrusted organizations by setting Organization.active to false.

The text was updated successfully, but these errors were encountered:

hhund · 2023-06-29T08:37:42Z

A fix for this issue is available via version 0.9.2.

Docker containers for the 0.9.2 release can be access via the GitHub Docker registry - ghcr.io:

bpe: ghcr.io/highmed/bpe:0.9.2
fhir: ghcr.io/highmed/fhir:0.9.2
fhir_proxy: ghcr.io/highmed/fhir_proxy:0.9.2

hhund · 2023-06-29T08:42:34Z

POC: 38b1f24, Fix: b1546b8

hhund added bug Something isn't working priority high This issue has high priority labels Jun 29, 2023

hhund added this to the v0.9.2 milestone Jun 29, 2023

hhund self-assigned this Jun 29, 2023

hhund mentioned this issue Jun 29, 2023

Hotfix/0.9.2 #407

Merged

hhund closed this as completed in #407 Jun 29, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unauthorized Process Execution for Authenticated Organizations #406

Unauthorized Process Execution for Authenticated Organizations #406

hhund commented Jun 29, 2023

hhund commented Jun 29, 2023 •

edited

hhund commented Jun 29, 2023

Unauthorized Process Execution for Authenticated Organizations #406

Unauthorized Process Execution for Authenticated Organizations #406

Comments

hhund commented Jun 29, 2023

hhund commented Jun 29, 2023 • edited

hhund commented Jun 29, 2023

hhund commented Jun 29, 2023 •

edited