screwdriver icon indicating copy to clipboard operation
screwdriver copied to clipboard

Published 20 hours ago verified publisher icon screwdriver-cd

Users could impersonate the user who created the event.

Open kumada626 opened this issue 9 months ago • 8 comments

What happened: When a user sends a request to the API to create an event, the creator's property can be set to an arbitrary value, so it is possible to set a value for a user other than oneself. https://cd.screwdriver.cd/pipelines/9550/events/801009

What you expected to happen: Users are possible to see who is really the user who created the event.

How to reproduce it:

  • Call POST /v4/event endpoint with creator property.
  • Any value set in creator is displayed in the UI's started by.

kumada626 avatar May 16 '24 06:05 kumada626