Users without editor access to Apps could still create new users and grant them App access.
Affected Versions: 2.6 2.6.1
Fix Version: 2.7
Root cause(s)
During the recent enhancements in version 2.6 related to redesigning user access control in Apps, a validation step to verify user access for the App before granting permissions was inadvertently missed.
Impact
Any user with permission to create new users could grant access to Apps that they themselves do not have access to
Mitigation
Fix available
Fix is available in Amorphic version 2.7. Please upgrade to the latest version to resolve this issue.
Timeline
- 2024-10-13: Bug reported/identified (CLOUD-5003)
- 2024-10-14: Bug triaged
- 2024-10-14: Bug fixed
- 2024-10-14: Testing completed
- 2024-10-14: Version 2.7 released with the fix