[ISPN-14986] CVE-2023-3629 Non-admins should not be able to get cache config via REST API

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 14.0.18.Final, 15.0.0.Final
Affects Version/s: 11.0.15.Final, 12.1.12.Final, 14.0.11.Final, 13.0.17.Final, 15.0.0.Final
Component/s: REST, Security
Labels:
None

Git Pull Request:
https://github.com/infinispan/infinispan/pull/11319, https://github.com/infinispan/infinispan/pull/11320

The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:

GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches

The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators.

The first method should return a 403 in case the user doesn't have appropriate permissions.
The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information).

The methods require authentication, but once authenticated, any user can invoke them successfully.

causes

ISPN-15198 Console cache detail is broken for non admins

Resolved

is caused by

ISPN-11525 Cache and Cache Manager REST endpoint does not handle correctly security

Closed

Tristan Tarrant created issue - 2023/06/22 5:05 AM

Tristan Tarrant made changes - 2023/06/22 5:07 AM

Link

New: This issue is caused by ~~ISPN-11525~~ [ ~~ISPN-11525~~ ]

Tristan Tarrant made changes - 2023/06/22 5:07 AM

Affects Version/s		New: 13.0.17.Final [ 12409032 ]
Affects Version/s		New: 12.1.12.Final [ 12379804 ]
Affects Version/s		New: 11.0.15.Final [ 12379353 ]

Tristan Tarrant made changes - 2023/06/22 7:04 AM

Security

Original: Red Hat Internal [ 10291 ]

New: Security Issue [ 10292 ]

Tristan Tarrant made changes - 2023/06/22 7:09 AM

Description

Original: The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:
/rest/v2/caches/{cacheName}?action=config

New: The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:

{{
GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches
}}

Tristan Tarrant made changes - 2023/06/22 7:12 AM

Description

Original: The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:

{{
GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches
}}

New: The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:

{noformat}
GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches
{noformat}

The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators.

The first method should return a 403 in case the user doesn't have appropriate permissions.
The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information).

The methods require authentication, but once authenticated, any user can invoke them successfully.

Wolf Fink made changes - 2023/06/22 2:39 PM

Link

New: This issue causes DGSUP-222 [ DGSUP-222 ]

Tristan Tarrant made changes - 2023/08/07 12:30 PM

Link

New: This issue blocks JDG-6367 [ JDG-6367 ]

Tristan Tarrant made changes - 2023/09/22 2:53 PM

Status

Original: New [ 10016 ]

New: Open [ 1 ]

Tristan Tarrant made changes - 2023/09/22 2:53 PM

Git Pull Request		New: https://github.com/infinispan/infinispan/pull/11319
Status	Original: Open [ 1 ]	New: Pull Request Sent [ 10011 ]

Tristan Tarrant made changes - 2023/09/22 2:55 PM

Git Pull Request

Original: https://github.com/infinispan/infinispan/pull/11319

New: https://github.com/infinispan/infinispan/pull/11319, https://github.com/infinispan/infinispan/pull/11320

Tristan Tarrant made changes - 2023/09/22 2:56 PM

Security

Original: Security Issue [ 10292 ]

Tristan Tarrant made changes - 2023/09/22 2:56 PM

Summary

Original: Non-admins should not be able to get cache config via REST API

New: CVE-2023-14986 Non-admins should not be able to get cache config via REST API

Tristan Tarrant made changes - 2023/09/22 2:56 PM

Summary

Original: CVE-2023-14986 Non-admins should not be able to get cache config via REST API

New: CVE-2023-3629 Non-admins should not be able to get cache config via REST API

Ryan Emerson made changes - 2023/09/26 4:36 PM

Fix Version/s

New: 15.0.0.Dev04 [ 12413880 ]

Ryan Emerson made changes - 2023/09/28 4:05 PM

Fix Version/s		New: 14.0.18.Final [ 12413407 ]
Resolution		New: Done [ 1 ]
Status	Original: Pull Request Sent [ 10011 ]	New: Resolved [ 5 ]

Katia Aresti made changes - 2023/10/01 12:20 PM

Link

New: This issue causes ~~ISPN-15198~~ [ ~~ISPN-15198~~ ]

Katia Aresti made changes - 2023/10/03 7:40 AM

Link

New: This issue causes JDG-6458 [ JDG-6458 ]

Pedro Zapata Fernandez made changes - 2023/11/16 2:33 PM

Workflow

Original: GIT Pull Request with Triage workflow [ 23769310 ]

New: OJA-WF-BG [ 24698067 ]

Tristan Tarrant made changes - 2024/07/12 4:06 PM

Fix Version/s

New: 15.0.0.Final [ 12377084 ]

Tristan Tarrant made changes - 2024/07/12 4:14 PM

Affects Version/s

New: 15.0.0.Final [ 12377084 ]

Assignee:: Tristan Tarrant

Reporter:: Tristan Tarrant

Archiver:: Amol Dongare

Created:: 2023/06/22 5:05 AM

Updated:: 2024/07/12 4:14 PM

Resolved:: 2023/09/28 4:05 PM

Archived:: 2024/11/28 6:21 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty