Description
Request Type
Bug
Work Environment
Question | Answer |
---|---|
OS version (server) | Debian 10.3 |
TheHive version / git hash | 4.1.4 |
Package Type | Binary / in Docker |
Database | Cassandra |
Index type | Lucene |
Attachments storage | Local |
Problem Description
Multi-Tenancy issue observed.
We have several organizations in TH.
We also have a set of case templates under each organization (the same templates [same names] exist under each organization).
The case templates include a few custom fields. One of the fields is called "customer_contact" and contains a certain email address. Obviously, the value of that custom field is specific depending on the Organization.
(i.e. lets say, as an example, we have
Org-A : template "case_template_1" : custom field "customer contact" = "joe@org-a.com"
Org-B : template "case_template_1" : custom field "customer contact" = "jim@org-b.com")
Based on the customer_contact field, external communication to the customer may be done, if necessary.
Now, just today I noticed the issue, that a newly created Case under Organization-A had the custom field "customer_contact" populated with the Organization-B contact !!
This is of course absolutely fatal, as the analysts most probably won't notice a wrong value there, and that may lead to cross-customer data contamination.
Steps to Reproduce
- under two organizations, prepare a case template with the same template-name under each org
- add a custom field in both templates, populate the custom field with different values under org-A and under org-B
- create an alert via API, specifying "X-Organisation" Header of organization A (payload of the createAlert API contains the template-name created in step 1)
- promote the alert to Case via API, specifying "X-Organisation" Header of organization A (payload of the createCase API also contains the template-name as created in step 1)
- check if the custom field in the newly created case contains the template value from org-A or org-B