HomeDefault status
unaffected
8.4.0 (semver) before 8.4.0
affected
8.3.2 (semver) before 8.3.2
affected
8.2.2 (semver) before 8.2.2
affected
8.1.3 (semver) before 8.1.3
affected
8.0.4 (semver) before 8.0.4
affected
7.13.6 (semver) before 7.13.6
affected
7.12.7 (semver) before 7.12.7
affected
7.11.7 (semver) before 7.11.7
affected
7.10.10 (semver) before 7.10.10
affected
Description
In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.
Problem types
CWE-284 Improper Access Control - Generic
Product status
8.4.0 (semver) before 8.4.0
8.3.2 (semver) before 8.3.2
8.2.2 (semver) before 8.2.2
8.1.3 (semver) before 8.1.3
8.0.4 (semver) before 8.0.4
7.13.6 (semver) before 7.13.6
7.12.7 (semver) before 7.12.7
7.11.7 (semver) before 7.11.7
7.10.10 (semver) before 7.10.10
References
github.com/RocketChat/Rocket.Chat/pull/40125