Users invited as "App Viewer" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet app viewers are able to get a list of datasources in a workspace they're a member of. This information disclosure does NOT expose sensitive data in the datasources, such as database passwords and API Keys.
The attacker needs to have been invited to a workspace as a "viewer", by someone in that workspace with access to invite. The attacker then needs to be able to signup/login to that Appsmith instance.
Impact
Information Disclosure.
Patches
v1.51
Workarounds
None.
Users invited as "App Viewer" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet app viewers are able to get a list of datasources in a workspace they're a member of. This information disclosure does NOT expose sensitive data in the datasources, such as database passwords and API Keys.
The attacker needs to have been invited to a workspace as a "viewer", by someone in that workspace with access to invite. The attacker then needs to be able to signup/login to that Appsmith instance.
Impact
Information Disclosure.
Patches
v1.51
Workarounds
None.