CVEProject/cve-services

at f91d651, CNA loses data after PUT /org/:shortname/user/:username?org_short_name=

ElectricNroff opened this issue · 0 comments

ElectricNroff commented

cve-services/src/controller/cve-id.controller/cve-id.controller.js

Lines 136 to 137 in f91d651

// Redact because requested_by.user is not in requested_by.cna org
i.requested_by.user = 'REDACTED'

If a user is moved to a different organization via a PUT /org/:shortname/user/:username?org_short_name= API request by the Secretariat, then other users in the original organization see "user":"REDACTED" in GET /cve-id output for all of the CVE ID reservation work done by that user when they were previously a member of the original CNA. Before that PUT request, the original CNA was able to see who performed that CVE ID reservation work, may have been relying on that as important business records, and suddenly loses access to those business records as a result of the PUT request. For example, a remaining user of the original CNA could realistically have questions such as "Were CVE-2023-98765 through CVE-2023-98769 just reserved for possible future use, or was each one associated with a specific vulnerability?" and wouldn't be able to see who might have the answer to that question.

As far as I know, the only plausible reason for using PUT /org/:shortname/user/:username?org_short_name= is to move a user into a different organization controlled by the same company as the original organization. If someone changed jobs to a different company, it wouldn't make sense for the Secretariat to move their CVE Services user account to that other company's organization, because it's not possible to guarantee that the API Key is known only by that person (and not known by an administrator at the person's old company).

For example, we have one instance where a company added a new CNA that will be covering some of the vulnerabilities that had previously been covered by another CNA at that company. In the future, we may have users routinely move within the same company from a CNA-only organization to an ADP-only organization. In any of those cases, requested_by.cna would be the same as owning_cna, and it's important that the original CNA be able to see the original requested_by.user information, so that they can more easily find answers to questions about the purpose of each CVE ID in the GET /cve-id output.

If requested_by.cna is different from owning_cna, then the 'REDACTED' is desirable.