Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-14986

CVE-2023-3629 Non-admins should not be able to get cache config via REST API

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 14.0.18.Final, 15.0.0.Dev04
    • 11.0.15.Final, 12.1.12.Final, 15.0.0.Dev01, 14.0.11.Final, 13.0.17.Final
    • REST, Security
    • None

    Description

      The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:

      GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches

      The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators.

      The first method should return a 403 in case the user doesn't have appropriate permissions.
      The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information).

      The methods require authentication, but once authenticated, any user can invoke them successfully.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. ISPN-15198 Console cache detail is broken for non admins

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved
          is caused by

          Bug - A problem that impairs or prevents the functions of the product. ISPN-11525 Cache and Cache Manager REST endpoint does not handle correctly security

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              ttarrant@redhat.com Tristan Tarrant
              ttarrant@redhat.com Tristan Tarrant
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: