Summary
| Advisory ID | Product & Versions Affected | Risk Category & Score | Explicit Requirements |
| DP-439649 | Products:
Versions:
| Operational: 4 – High Risk System Stability: 3 – Medium Risk This issue does not constitute a security vulnerability. It does not allow users to bypass permissions checks or access data outside their authorized namespace | Use of implied namespaces, the Management Portal, or mixed read-write/read-only access to databases |
An issue in the InterSystems products listed above may trigger unexpected <PROTECT> errors when switching between namespaces or accessing globals in environments using any of the following features:
- Implied namespaces
- Read-only access to the default database but read-write access elsewhere
- The Management Portal pages that list routines and globals
The symptoms of the issue include:
- There are namespace creation failures (DP-440830)
- Access is denied intermittently when listing routines in the Management Portal (DP-439622)
- Global display utility shows no globals if the user only has read-only permissions (DP-440744)
All of these have been resolved by DP-439649, which corrects how permission checks are applied to process-private globals and for implied namespace resolution. These corrections address failures in behavior — not failures in access control. Permissions are enforced correctly, and users cannot access globals or namespaces outside their assigned scope.
This issue is fixed in versions 2025.1.0.230.2, 2024.1.4.516.1, 2023.1.6.810.1, and 2022.1.7.116.1, of the following products:
- InterSystems IRIS
- InterSystems IRIS for Health
- HealthShare® Health Connect
For More Information
If you have questions or need assistance, please contact the InterSystems Worldwide Response Center (WRC).