Bug 1946213 (CVE-2021-20306)

Summary: CVE-2021-20306 Business-central: Ruleflow Groups from other projects displayed on BPMN editor despite user having no access to those projects
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akoufoud, alazarot, anstephe, etirelli, ibek, jstastny, krathod, kverlaen, mnovotny, pjindal, rrajasek, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the BPMN editor. Any authenticated user from any project can see the name of Ruleflow Groups from other projects, despite the user not having access to those projects. The highest threat from this vulnerability is to confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1939122    

Description Paramvir jindal 2021-04-05 12:03:31 UTC
Ruleflow Groups from other projects displayed on BPMN editor despite user having no access to those projects

https://issues.redhat.com/browse/JBPM-9662

Comment 1 Paramvir jindal 2021-04-05 12:03:41 UTC
Acknowledgments:

Name: Ben Brown