Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

at f91d651, CNA loses data after PUT /org/:shortname/user/:username?org_short_name= #1187

Open
ElectricNroff opened this issue Feb 18, 2024 · 0 comments
Open

at f91d651, CNA loses data after PUT /org/:shortname/user/:username?org_short_name= #1187

ElectricNroff opened this issue Feb 18, 2024 · 0 comments
Labels
Needs Discussion

Comments

@ElectricNroff
Copy link
Contributor

cve-services/src/controller/cve-id.controller/cve-id.controller.js

Lines 136 to 137 in f91d651

// Redact because requested_by.user is not in requested_by.cna org
i.requested_by.user = 'REDACTED'

If a user is moved to a different organization via a PUT /org/:shortname/user/:username?org_short_name= API request by the Secretariat, then other users in the original organization see "user":"REDACTED" in GET /cve-id output for all of the CVE ID reservation work done by that user when they were previously a member of the original CNA. Before that PUT request, the original CNA was able to see who performed that CVE ID reservation work, may have been relying on that as important business records, and suddenly loses access to those business records as a result of the PUT request. For example, a remaining user of the original CNA could realistically have questions such as "Were CVE-2023-98765 through CVE-2023-98769 just reserved for possible future use, or was each one associated with a specific vulnerability?" and wouldn't be able to see who might have the answer to that question.

As far as I know, the only plausible reason for using PUT /org/:shortname/user/:username?org_short_name= is to move a user into a different organization controlled by the same company as the original organization. If someone changed jobs to a different company, it wouldn't make sense for the Secretariat to move their CVE Services user account to that other company's organization, because it's not possible to guarantee that the API Key is known only by that person (and not known by an administrator at the person's old company).

For example, we have one instance where a company added a new CNA that will be covering some of the vulnerabilities that had previously been covered by another CNA at that company. In the future, we may have users routinely move within the same company from a CNA-only organization to an ADP-only organization. In any of those cases, requested_by.cna would be the same as owning_cna, and it's important that the original CNA be able to see the original requested_by.user information, so that they can more easily find answers to questions about the purpose of each CVE ID in the GET /cve-id output.

If requested_by.cna is different from owning_cna, then the 'REDACTED' is desirable.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs Discussion
Projects
Issue Triage
Status: Needs Triage
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jdaigneau5 @ElectricNroff