Impact
The security issue involves a vulnerability related to the lack of permission checks for API keys on specific endpoints. When a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints.
This vulnerability mainly affects projects that have inadvertently exposed their API keys on the internet and projects with users who can use this vulnerability to modify data they have no access to.
Patches
It's fixed in version 3.23.1
References
Link to the fixing commit: https://github.com/tolgee/tolgee-platform/pull/1818/files
Impact
The security issue involves a vulnerability related to the lack of permission checks for API keys on specific endpoints. When a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints.
This vulnerability mainly affects projects that have inadvertently exposed their API keys on the internet and projects with users who can use this vulnerability to modify data they have no access to.
Patches
It's fixed in version 3.23.1
References
Link to the fixing commit: https://github.com/tolgee/tolgee-platform/pull/1818/files