APAR status
Closed as fixed if next.
Error description
The issue reported is that a user opens their notification record, and then changes the spec id of that record in the URL by changing the last digits to open/view other TRIRIGA records. This is causing security vulnerability because user is able to see other TRIRIGA records which shouldn't be visible for them. Direct Object Reference vulnerabilities relate to the use of identifiers that are directly tied to content within a database or file system. Applications that expose Direct Object References are usually prone to security issues when one user is able to view content that belongs to another user by changing the reference value. Incomplete or inconsistent access controls are typically to blame for this vulnerability.
Local fix
No
Problem summary
Fixed. The Notification records with temporary password are viewable to all TRIRIGA users. A workflow has been created to delete the Notification record with temporary password after sending out an email Notification with temporary password to user.This issue will be resolved in our next major release version, which is tentatively planned for 2H 2016.
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
IV84740
Reported component name
TRI APPLI SETUP
Reported component ID
5725F25AS
Reported release
A41
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-05-12
Closed date
2016-06-16
Last modified date
2016-06-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
RA51 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHEB3","label":"IBM TRIRIGA Application Platform"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A41","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
30 March 2022