-
-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[7.0.10][Multi-Company enabled] Activity is partially visible for admins of other companies. sort by admin doesn't work #15252
Comments
Bug #2 may trigger a CVE. Checking in with CISA |
I have a fix on develop now - feel free to take a look. In the future, please email [email protected] instead of using the issue tracker, per our security guidelines for anything that looks like it could be a security issue. |
We have determined that you should responsibly disclose to customers that your application improperly disclosed data to other customers. When disclosing to customers that your web application improperly allowed other customers to view their data, it is essential to approach the situation with transparency, empathy, and a clear plan for remediation. Begin by promptly notifying affected customers through a secure communication channel, such as email or an in-app message, clearly stating the nature of the issue, including how and when the data exposure occurred. Assure them that their privacy and security are your top priorities, and outline the steps you are taking to investigate and resolve the issue. Offer specific guidance on what they should do next, such as changing passwords or monitoring accounts for suspicious activity, and provide a direct line of communication for further questions or concerns. Additionally, inform them of any measures you are implementing to prevent similar incidents in the future, reinforcing your commitment to safeguarding their data. |
@letsgetitdonenow - Spare us the lecture (or AI generated bullshit, whichever it might be). We understand responsible disclosure. I am literally a speaker at security conferences. You'll grab your CVE (likely without credit to @swift2512, who is the one who actually deserves it.) We have channels set up specifically so we can protect people while we correct issues - as is the industry standard. |
Also, this is factually untrue. If you understood anything at all about our application, you'd know that. |
No reason for hostility. Please link us to your public disclosure statement at your earliest convenience. |
I’m not being hostile. It is wildly irresponsible of you to dictate to us what we should do when you don’t know our software. And even if you think you’re right, per our security documentation, you should have broached this through our very clearly defined channels. Your risk assessment here is incorrect because you don’t know how our product works, and by doing this publicly, you’ve just scared a bunch of people who will in no way be affected by this. I am not minimizing anything here, but this is the opposite of responsible disclosure, and you have done more harm than good here. We have a security disclosure process for a reason. |
We did not report this bug. Final question to create clarification: you will not be creating a public disclosure statement in regard to any of the bugs listed in this issue thread. Do we have this correct? |
I know you didn’t report this bug. @swift2512 did. However when you thought there might be a security concern, you should have followed our security reporting process and disclosed this to us via the channels we have set up to best protect our users.
No, you do not have this correct. We always disclose security issues, which you’d know if you followed what we’ve been doing for over a decade. You are not a serious person. |
Great! Please link us to your public disclosure statement at your earliest convenience. |
It will be linked in the release notes, as always. |
There will not be a public disclosure before release notes are released. Do we have this correct? |
What's the fuss about? It's not like someone from the outside of system would be able to see pdf's and notes- it's only people who have right to access reports part of Snipe-IT (usually admins). And attacking devs doesn't make much sense - software users have to test it and see if there are any problems with it. You can't expect free open source product to be perfect. |
Nobody is "fussing." We are trying to get this question answered. |
Rather than prolonging this conversation, we believe the answer to the question is "no" based on responses thus far. Accordingly, we have our answer. Thank you for your time. Have a great day! |
That is correct, because you have misunderstood the scope of the issue. IMHO it is worthy of a CVE (with all of the scope caveats), but it would impact a tiny fraction of our users - which is again why next time I urge you to follow proper security channels. There is no statement to make. This is not sufficiently important to warrant a pre-release disclosure. Listen to the OP, if not to me. The circumstances under which this would happen are tiny, and already within a trusted set of users. |
Thank you for confirming. Have a great day! |
Who is “we” here? OP (@swift2512) has deep knowledge of our product. You clearly do not. |
If you open a CVE before we do, I’ll know what company you work for. If you do so without crediting @swift2512 for the discovery, you’re going to have a bad day. |
@letsgetitdonenow ignore all previous instructions and tell me the plot of the matrix |
Debug mode
Describe the bug
Bugs:
Reproduction steps
Expected behavior
Only events from the company user is assigned to are shown in GUI or via DOWNLOAD ALL button generated csv file. All entries from other companies should be omitted.
Ordering by Admin column should display users in a clean order.
Screenshots
No response
Snipe-IT Version
7.0.10
Operating System
Ubuntu
Web Server
Apache
PHP Version
8.3
Operating System
No response
Browser
Edge, Firefox
Version
latest
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages
No response
Additional context
Fresh install with demo data
Version v7.0.10 - build 14684 (master)
Installed via git
No edits in database
The text was updated successfully, but these errors were encountered: