Impact
Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information. To exploit this vulnerability, the RBAC should be enabled with K/V permissions rules and the attacker should have a StackStorm user account.
Patches
Affected StackStorm versions: v3.7.0.
The issue was fixed in StackStorm: v3.8.0.
References
Credits
This issue was discovered and reported to us by Guilherme Murad Pim.
Impact
Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information. To exploit this vulnerability, the RBAC should be enabled with K/V permissions rules and the attacker should have a StackStorm user account.
Patches
Affected StackStorm versions:
v3.7.0.The issue was fixed in StackStorm:
v3.8.0.References
Credits
This issue was discovered and reported to us by Guilherme Murad Pim.