Vulnerabilities > CVE-2018-20345 - Unspecified vulnerability in Stackstorm
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE network
stackstorm
Summary
Incorrect access control in StackStorm API (st2api) in StackStorm before 2.9.2 and 2.10.x before 2.10.1 allows an attacker (who has a StackStorm account and is authenticated against the StackStorm API) to retrieve datastore items for other users by utilizing the /v1/keys "?scope=all" and "?user=<username>" query filter parameters. Enterprise editions with RBAC enabled are not affected.