Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-14986

CVE-2023-3629 Non-admins should not be able to get cache config via REST API

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 14.0.18.Final, 15.0.0.Final
    • 11.0.15.Final, 12.1.12.Final, 14.0.11.Final, 13.0.17.Final, 15.0.0.Final
    • REST, Security
    • None

      The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:

      GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches

      The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators.

      The first method should return a 403 in case the user doesn't have appropriate permissions.
      The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information).

      The methods require authentication, but once authenticated, any user can invoke them successfully.

              ttarrant@redhat.com Tristan Tarrant
              ttarrant@redhat.com Tristan Tarrant
              Archiver:
              rhn-support-adongare Amol Dongare

                Created:
                Updated:
                Resolved:
                Archived: