In Mender, you can use the role based access control (RBAC) system to limit what devices and actions different users have access to. The customer who reported the issue discovered that the /devauth/devices API did not respect this, and gave results, with some limited read-only information, for all devices in the organization
The security mechanism of filtering devices based on role and device groups could be bypassed using this vulnerability. For customers which split up their devices into groups and only give some roles / users access to some groups, this meant that those users would have access to more information than intended. It should be noted that the severity of this is quite limited, due to multiple factors:
Due to the complexity of implementing this filtering in this specific API / microservice, we have chosen to disable this API for those users which should only have access to some devices. Thus, the users which have limited access, because their role gives them access to a device group, are no longer able to use this API:
GET /api/management/v2/devauth/devices
However, they can still use query parameters to get the same data, for individual devices, like this:
GET /api/management/v2/devauth/devices?id=75a99891-f4b2-4d90-ae99-ea86c3d1184d
In that case, RBAC is respected, whether you have access to that device will be checked. (Same as before, this has not changed).
If you are using hosted Mender, this fix has already been deployed and you do not have to do anything. For customers running Mender on-prem, upgrading to version 3.6.5, 3.7.5, or later versions will resolve the issue.