When a Secretariat user calls updateOrg in registry-org.controller.js, they can provide a UUID. There is no legitimate reason for doing this, and - if it happened through user error accidentally - would disrupt the database by interfering with the meaning of data in the Cve, Cve-Id, and Audit collections. It could potentially be a conflicting UUID (same as the one of a different organization). This is blocked in createOrg:
|
// Do not allow the user to pass in a UUID |
|
if ((body?.UUID ?? null) || (body?.uuid ?? null)) { |
|
return res.status(400).json(error.uuidProvided('org')) |
When a Secretariat user calls updateOrg in registry-org.controller.js, they can provide a UUID. There is no legitimate reason for doing this, and - if it happened through user error accidentally - would disrupt the database by interfering with the meaning of data in the Cve, Cve-Id, and Audit collections. It could potentially be a conflicting UUID (same as the one of a different organization). This is blocked in createOrg:
cve-services/src/controller/registry-org.controller/registry-org.controller.js
Lines 143 to 145 in 15238d1