In attempting to determine whether this warrants a security advisory we should discuss the associated risks, intention, and any precedent it might set for issuance of future advisories. In essence, this looks like a potential detection bypass. In a multi-version-capable deployment a malicious actor could use the v2 API to hide role grant/remove activities in an effort to avoid creating an audit trail. This doesn't allow them to perform activities they would not normally be able. A few related questions to help classify this further:
Was this previously logged and then a regression introduced which caused it to stop logging, or was it merely added to the v3 API but never implemented for v2?
Is logging parity between API versions considered a security requirement, such that any new action logging added in newer API versions must necessarily also be included in earlier versions?
If we consider this a vulnerability, is there some standard we can consult identifying what activities must be logged so that any which aren't similarly qualify as vulnerabilities when we eventually discover them?
In attempting to determine whether this warrants a security advisory we should discuss the associated risks, intention, and any precedent it might set for issuance of future advisories. In essence, this looks like a potential detection bypass. In a multi-version- capable deployment a malicious actor could use the v2 API to hide role grant/remove activities in an effort to avoid creating an audit trail. This doesn't allow them to perform activities they would not normally be able. A few related questions to help classify this further:
Was this previously logged and then a regression introduced which caused it to stop logging, or was it merely added to the v3 API but never implemented for v2?
Is logging parity between API versions considered a security requirement, such that any new action logging added in newer API versions must necessarily also be included in earlier versions?
If we consider this a vulnerability, is there some standard we can consult identifying what activities must be logged so that any which aren't similarly qualify as vulnerabilities when we eventually discover them?