-
Bug
-
Resolution: Fixed
-
Critical
-
1.0
-
None
this is a currently-open security hole that allows an attacker with non-admin credentials to query and manipulate triples with admin predicates, which allows them to grant themselves admin privileges and add/remove users from the system.
I'm not marking this "blocking" because the attacker would have to already have non-admin credentials before they could attack this way, and the attack requires knowing the Tupelo server endpoint and writing code against the Tupelo client API's and protocols.
- is related to
-
MMDB-835 Add permission to tupelo server blacklisting to retrieve authentication triples
- Closed