Bug 1946213 (CVE-2021-20306) - CVE-2021-20306 Business-central: Ruleflow Groups from other projects displayed on BPMN editor despite user having no access to those projects
Summary: CVE-2021-20306 Business-central: Ruleflow Groups from other projects displaye...
Keywords:
Status: NEW
Alias: CVE-2021-20306
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1939122
TreeView+ depends on / blocked
 
Reported: 2021-04-05 12:03 UTC by Paramvir jindal
Modified: 2022-08-12 04:38 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in the BPMN editor. Any authenticated user from any project can see the name of Ruleflow Groups from other projects, despite the user not having access to those projects. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Paramvir jindal 2021-04-05 12:03:31 UTC
Ruleflow Groups from other projects displayed on BPMN editor despite user having no access to those projects

https://issues.redhat.com/browse/JBPM-9662

Comment 1 Paramvir jindal 2021-04-05 12:03:41 UTC
Acknowledgments:

Name: Ben Brown


Note You need to log in before you can comment on or make changes to this bug.