Admin can update workspace status of another admin

State Resolved
April 8, 2021
Issue ID -zUnIUHDq
Asset v1 API
Bounty $100
Reported at April 3, 2021
Reporter Bhavik Kanejiya
Severity Low
Visibility Complete
Weakness CWE-285: Improper Authorization

Description

The malicious admin can update workspace status from another admin only if they are both admins in the same workspace. The attacker can not delete the admin or do any other unallowed action. The owner of the workspace can undo the action of malicious admin.

Step by step - Scenario

  1. Three users are in the same workspace - Carol (owner), Alice (admin), Bob (admin)
  2. Using request for update workspace status Alice will change Bob's workspace status

Expected

Only the workspace owner can change the workspace status of the admin.