Medium

lunary

Run Information Leak via Insufficient Access Control

The endpoint `runs/{run_id}/related` in the main branch (commit a761d833) of the software does not properly check user access, leading to potential information leaks. This issue was identified and reported but has not yet been patched.

Available publicly on Jun 22 2024

4.3

CVE:

CVE-2024-6867

CWE:

1220:Insufficient Granularity of Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Credit:

patrik-ha
AssessDetect

Premium

Remediate
Remediation Steps
  • Implement access control checks in the runs/{run_id}/related endpoint to ensure that the requesting user has the necessary permissions to access the specified run and its related runs.
  • Review and update the access control logic across all endpoints to ensure consistency and prevent similar vulnerabilities.
  • Conduct thorough testing to verify that the access control mechanisms are functioning as intended.
  • Deploy the updated code to the production environment and notify users of the security update.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.