1946213 – (CVE-2021-20306) CVE-2021-20306 Business-central: Ruleflow Groups from other projects displayed on BPMN editor despite user having no access to those projects

Bug 1946213 (CVE-2021-20306) - CVE-2021-20306 Business-central: Ruleflow Groups from other projects displayed on BPMN editor despite user having no access to those projects

Summary: CVE-2021-20306 Business-central: Ruleflow Groups from other projects displaye...

Keywords:
Status:	NEW
Alias:	CVE-2021-20306
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	Embargoed1939122
TreeView+	depends on / blocked

Reported:	2021-04-05 12:03 UTC by Paramvir jindal
Modified:	2023-05-15 18:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A flaw was found in the BPMN editor. Any authenticated user from any project can see the name of Ruleflow Groups from other projects, despite the user not having access to those projects. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Paramvir jindal 2021-04-05 12:03:31 UTC

Ruleflow Groups from other projects displayed on BPMN editor despite user having no access to those projects

https://issues.redhat.com/browse/JBPM-9662

Comment 1 Paramvir jindal 2021-04-05 12:03:41 UTC

Acknowledgments:

Name: Ben Brown

Note You need to log in before you can comment on or make changes to this bug.