Here at StackStorm we take security very seriously. If you believe you found a security issue or a vulnerability, please report it to us using one of the methods described below.

Reporting a Vulnerability

Please do not report security issues using our public Github repository or Slack chat. Use the private mailing list described bellow.

If you believe you found a security issue or a vulnerability, please send a description of it to our private mailing list at moc.mrotskcatsnull@ofni

Once you've submitted an issue, you should receive an acknowledgment from one our of team members in 48 hours or less. If further action is necessary, you may receive additional follow-up emails.

How Are Vulnerabilities Handled

We follow the industry de facto standard of Responsible Disclosure for handling security issues. This means we disclose the issue only after a fix for the issue has been developed and released.

We of course always give full credit to the person who was reported the issue.

Security Vulnerabilities

The section below contains a list of security vulnerabilities identified in the past releases. Those issues have been fixed in the latest release so you are always encouraged to run the latest release available.

[CVE-2018-20345] Invalid access control checks in "GET /v1/keys" API endpoint

Severity: Medium
Affected versions: All the versions prior to 2.9.2 and 2.10.1

StackStorm API didn't perform correct access control checks in the "GET /v1/keys" API endpoint. This allowed authenticated users to retrieve user-scoped datastore items for arbitrary users by using "?scope=all" and "?user=<username>" query parameter filters.

NOTE: Enterprise edition with RBAC enabled is not affected. When RBAC is enabled, only users with admin role can utilize "?scope=all" and "?user=<username>" query parameter filter and retrieve / view values for any system user.

Mitigation: This vulnerability has been fixed in StackStorm v2.9.2 and v2.10.1. You are strongly encouraged to upgrade to that release.


​This issue was discovered and reported to us by Alexandre Juma.