[ISPN-14986] CVE-2023-3629 Non-admins should not be able to get cache config via REST API

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 14.0.18.Final, 15.0.0.Final
Affects Version/s: 11.0.15.Final, 12.1.12.Final, 14.0.11.Final, 13.0.17.Final, 15.0.0.Final
Component/s: REST, Security
Labels:
None

Git Pull Request:
https://github.com/infinispan/infinispan/pull/11319, https://github.com/infinispan/infinispan/pull/11320

The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:

GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches

The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators.

The first method should return a 403 in case the user doesn't have appropriate permissions.
The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information).

The methods require authentication, but once authenticated, any user can invoke them successfully.

causes

ISPN-15198 Console cache detail is broken for non admins

Resolved

is caused by

ISPN-11525 Cache and Cache Manager REST endpoint does not handle correctly security

Closed

There are no comments yet on this issue.

Assignee:: Tristan Tarrant

Reporter:: Tristan Tarrant

Archiver:: Amol Dongare

Created:: 2023/06/22 5:05 AM

Updated:: 2024/07/12 4:14 PM

Resolved:: 2023/09/28 4:05 PM

Archived:: 2024/11/28 6:21 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty