Deprecated owners.query API bypasses object view policy
P
Phabricator
Submitted None
Actions:
Reported by
dyls
Vulnerability Details
Technical details and impact analysis
The deprecated owners.query API does not check object view policy. A user is able to view some information about an owner package which they do not have permission to see by calling this API. Since the API is deprecated, it could just be removed.
## Impact
An attacker is able to view some information about an owner package that they should not be able to see. Including, name, description, owner PHIDs, and repository PHIDs, and a path (which may be a path that belongs to a restricted repository).
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$300.00
Submitted
Weakness
Improper Access Control - Generic