Closed
Description
Cases owned by non-linked organisations visible to all organisations, potential data leakage
Request Type
Bug
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | Ubuntu 16 |
| OS version (client) | Any |
| TheHive version / git hash | 4.0.0-RC2-1 |
| Package Type | deb |
| Browser type & version | Chrome/FF |
Problem Description
When merging alerts into a case, all similar cases for all organisations are displayed, despite the fact that those cases have not been shared with the organisation and the organisations aren't even linked. This raises an issue with multi-tenancy and creates room for data leakage. Case titles could contain information that should not be shared between tenants.
Steps to Reproduce
- Create alert
- Click "Merge into Case"
- Similar cases displays all similar cases from all organisations
Possible Solutions
List of similar cases that gets populated when merging an alert or case should only display alerts and cases owned by that organisation, or linked organisations, not all.