Impact

DefectDojo users have reported several problems regarding authorization in the user interface:

• Users with a global role can view all groups and group members. Global roles shall only give access to product types, products and their dependent objects, but not to groups.
• Most data that is available in the Configuration menu shall only be accessible for superusers, but some URL's can be opened by staff users as well: Credentials, Google sheets, Regulations, Rules, Tool Types and Tool Configuration
• All users can view the change history for Users and Credentials, including hash codes for passwords. The change history shall only be visible for superusers, hash_codes for passwords shall not be recorded in the change history.

Patches

These issues have been patched with release 2.3.0:

• Groups can only be accessed by their members or superusers
• Configuration data is only accessible for superusers with one exception: Regulations are not sensitive and can be viewed (but not edited) by all users.
• Change history for Users and Credentials doesn't log password hashes anymore and are only accessible by superusers now. Password hashes have been removed from change history.

For more information

If you have any questions or comments about this advisory:

• Visit our #defectdojo Slack channel via: https://owasp-slack.herokuapp.com/
• For sensitive issues, follow the security advisory process https://github.com/DefectDojo/django-DefectDojo/security/policy (report on hacker one)