Skip to content

[Bug] Case Template content mixed across organisations #2068

Closed
@martinr103

Description

@martinr103

Request Type

Bug

Work Environment

Question Answer
OS version (server) Debian 10.3
TheHive version / git hash 4.1.4
Package Type Binary / in Docker
Database Cassandra
Index type Lucene
Attachments storage Local

Problem Description

Multi-Tenancy issue observed.

We have several organizations in TH.
We also have a set of case templates under each organization (the same templates [same names] exist under each organization).
The case templates include a few custom fields. One of the fields is called "customer_contact" and contains a certain email address. Obviously, the value of that custom field is specific depending on the Organization.
(i.e. lets say, as an example, we have
Org-A : template "case_template_1" : custom field "customer contact" = "joe@org-a.com"
Org-B : template "case_template_1" : custom field "customer contact" = "jim@org-b.com")
Based on the customer_contact field, external communication to the customer may be done, if necessary.

Now, just today I noticed the issue, that a newly created Case under Organization-A had the custom field "customer_contact" populated with the Organization-B contact !!
This is of course absolutely fatal, as the analysts most probably won't notice a wrong value there, and that may lead to cross-customer data contamination.

Steps to Reproduce

  1. under two organizations, prepare a case template with the same template-name under each org
  2. add a custom field in both templates, populate the custom field with different values under org-A and under org-B
  3. create an alert via API, specifying "X-Organisation" Header of organization A (payload of the createAlert API contains the template-name created in step 1)
  4. promote the alert to Case via API, specifying "X-Organisation" Header of organization A (payload of the createCase API also contains the template-name as created in step 1)
  5. check if the custom field in the newly created case contains the template value from org-A or org-B

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions