Description: Do to a flaw in the Task authorization rule, users authenticated via a valid client certificate from trusted certificate authorities and a corresponding entry in the local DSF allow-list, are able to execute processes that should otherwise not be allowed via the ActivityDefinition authorization extension of the process.
Workaround: Disable access for untrusted organizations by setting Organization.active to false.
Affected Versions: <= 0.9.1
Description: Do to a flaw in the
Task
authorization rule, users authenticated via a valid client certificate from trusted certificate authorities and a corresponding entry in the local DSF allow-list, are able to execute processes that should otherwise not be allowed via theActivityDefinition
authorization extension of the process.Workaround: Disable access for untrusted organizations by setting
Organization.active
tofalse
.