Today we are announcing the release of StackStorm v2.9.2 and StackStorm v2.10.1.
Those two patch releases fix a security issue which has been reported to us this week by one of our users (Alexandre Juma – thanks!).
The issue lies in the
GET /v1/keys API endpoint where
?user=<username> query parameter filters are not correctly handled. This allows any authenticated user to potentially retrieve user-scoped datastore items for other users.
The issue affects all the Open Source StackStorm releases from 1.5.0 to v2.10.0 (inclusive). Enterprise editions with RBAC enabled are not affected. When RBAC is enabled, only users with admin role can utilize
?user=<username> query parameter filter and retrieve / view values for any system user.
We would strongly encourage our users who are affected by this issue to upgrade to one of those releases. If you are unable to upgrade to the v2.10.x series yet which has just been released, you should upgrade to v2.9.2 which also includes this fix.
The issue has been assigned CVE identifier CVE-2018-20345.
Software security and robustness are the key qualities we strive for in every change we make. But we realized we didn’t have clear procedures for reporting security issues.
We will continue to follow the same responsible disclosure process we followed so far. This means we will ask person who reports an issue to give us some time to prepare and develop a fix before announcing the issue publicly.
We are thankful to the users and security research who help us make our software and ecosystem more secure by reporting any issues they find.
As always, make sure you have backups first. Then follow the standard Upgrade Instructions.