Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-14986

CVE-2023-3629 Non-admins should not be able to get cache config via REST API


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 14.0.18.Final, 15.0.0.Dev04
    • 11.0.15.Final, 12.1.12.Final, 15.0.0.Dev01, 14.0.11.Final, 13.0.17.Final
    • REST, Security
    • None

      The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:

      GET /rest/v2/caches/{cacheName}?action=config
      GET /rest/v2/caches

      The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators.

      The first method should return a 403 in case the user doesn't have appropriate permissions.
      The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information).

      The methods require authentication, but once authenticated, any user can invoke them successfully.

            ttarrant@redhat.com Tristan Tarrant
            ttarrant@redhat.com Tristan Tarrant
            0 Vote for this issue
            3 Start watching this issue