Chapter 3. Evergreen 2.11.3

Table of Contents

Security Issue: Credit Processor Stripe Settings Permissions
Missing Upgrade Script Notice
Other Fixes
Acknowledgements

This is a security release that also contains several other bugfixes improving on Evergreen 2.11.2. All users of Evergreen 2.11.x are recommended to upgrade to 2.11.3 as soon as possible.

Security Issue: Credit Processor Stripe Settings Permissions

Unprivileged users can retrieve organizational unit setting values for setting types lacking a "view" permission. When the feature adding Stripe credit card processing was added, the upgrade script neglected to add the VIEW_CREDIT_CARD_PROCESSING permission to the organizational unit setting type. This means that anyone can retrieve and view the settings for Stripe credit card processing.

Any system that upgraded from Evergreen version 2.5 to 2.6 is affected. If you use Stripe for credit card processing, it is strongly recommended that you apply this upgrade. Even if you do not use Stripe, applying this upgrade is still recommended. If you did not upgrade from version 2.5 to 2.6 of Evergreen, but started with a later version, applying this upgrade is harmless.

If you are not ready to perform a full upgrade, and if you use Stripe, you can protect the settings by running the following two SQL statements:

UPDATE config.org_unit_setting_type
    SET view_perm = (SELECT id FROM permission.perm_list
        WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1)
    WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL;

UPDATE config.org_unit_setting_type
    SET update_perm = (SELECT id FROM permission.perm_list
        WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1)
    WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL;