A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry\'s Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.
Metrics
CVSS Version: 3.1 |
Base Score: 3.5 LOW Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE-ID: CWE-420 CWE Name: The product protects a primary channel, but it does not use the same level of protection for an alternate channel. Source: Palantir
Common Attack Pattern Enumeration and Classification (CAPEC)
CAPEC-ID: CAPEC-115 CAPEC Description: An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.