5 matches found
New Relic: Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values)
@skavans identified an endpoint for testing Synthetics monitors. Without proper validation, this could allow monitors from other accounts to run on your account with knowledge of the monitor's ID: POST /accounts//monitors/monitor/recheck.json?monitorId= HTTP/1.1 Host: synthetics.newrelic.com...
New Relic: User can run monitors at private locations, which he has no access to
@skavans discovered that insufficient validation was performed when configuring Synthetics monitors allowing deployment to arbitrary private locations with knowledge of the location ID: POST /accounts//validation.json HTTP/1.1 Host: synthetics.newrelic.com...
New Relic: NRQL Query allows restricted user to pull all data from Synthetics monitors without having read permissions enabled
@jonbottarini identified an issue where our permissions for Synthetics didn't match the permissions elsewhere in our product. This eventually led to a change in our underlying permissions code to unify our products and prevent issues like this...
New Relic: [NR Synthetics] Restricted user can view synthetics monitors and user permissions through .json endpoint at /permissions/securablemetadata/{GROUP ID}
This report is two reports in one, but I figured why create two reports when the root cause is essentially the same exact endpoint. Description When a restricted user with no permissions to view synthetics monitors tries to navigate to the permissions settings within Synthetics...
New Relic: Restricted User is able to edit Alert Conditions of Synthetics Monitors even if Synthetics Permissions is enabled by an admin
In this vulnerability, a restricted user is able to edit the alert conditions of a synthetics monitor, even if he is unauthorized to do so. Steps to reproduce: - Admin user invites User1 to New Relic account as a restricted user - User1 accepts invitation, joins the account - Admin goes to...