The latest deployment of Bosch IoT Things, the digital twin layer of Bosch IoT Device Management, comes with a security fix/hardening.
Until last week, at the time of creating a thing, our services allowed to reference the new thing to an existing policy ID, even if the authorized subject would not have had any permission on the referenced policy.
As that behavior could result into a potential security leak, we have changed the logic, and now enforce that the authorized subject creating the new thing has at least READ permission on the referenced policy.
The potential leak has not been exploited so far.
However, in case your application would run into an error when creating things, please make sure that the authorized subject has at least READ permission on the policy as well.
At this occasion, various minor bugs have also been fixed.