|
const protectedFields = ['_id', 'UUID', '__v', '__t', 'created', 'last_updated', 'createdAt', 'updatedAt', 'users', 'admins'] |
|
if (isSecretariat || _.isEmpty(jointApprovalFieldsRegistry)) { |
|
updatedLegacyOrg = legacyOrg.overwrite(_.mergeWith(_.pick(legacyOrg.toObject(), protectedFields), _.omit(legacyObjectRaw, protectedFields), skipNulls)) |
|
updatedRegistryOrg = registryOrg.overwrite(_.mergeWith(_.pick(registryOrg.toObject(), protectedFields), _.omit(registryObjectRaw, protectedFields), skipNulls)) |
|
hasLock = await orgRepo.findOneAndUpdate({ short_name: shortName, inUse: false }, { $set: { inUse: true } }, { new: true }) // set lock for org |
Because inUse is not a protected field, a non-Secretariat admin caller can use
PUT /registry/org/:shortname and replace a document in the Org collection with one that has no inUse property. The timing is realistic because non-sequential CVE ID reservations sometimes take several seconds (especially if there are not many CVE IDs currently in the AVAILABLE state).
Concurrent CVE ID reservations by the same organization are problematic because, for example, they can bypass CVE ID quotas.
cve-services/src/repositories/baseOrgRepository.js
Lines 857 to 860 in 791d31f
cve-services/src/controller/cve-id.controller/cve-id.controller.js
Line 242 in 791d31f
Because inUse is not a protected field, a non-Secretariat admin caller can use
PUT /registry/org/:shortnameand replace a document in the Org collection with one that has no inUse property. The timing is realistic because non-sequential CVE ID reservations sometimes take several seconds (especially if there are not many CVE IDs currently in the AVAILABLE state).Concurrent CVE ID reservations by the same organization are problematic because, for example, they can bypass CVE ID quotas.