Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: 4.13.0
Affects Version/s: 4.12.z
Component/s: Management Console
Labels:
- backend
- security
- triaged

Severity:
Moderate
Regression:
No
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

Customer security team discovered that many folders in openshift-console are browsable. Can you please remove the listing permissions from these folders (or globally)?

Hera are some examples:
https://console-openshift-console.apps.<domain>/static/dev-console/
https://console-openshift-console.apps.<domain>/static/helm-plugin/
https://console-openshift-console.apps.<domain>/static/topology/

Version-Release number of selected component (if applicable):

Tested on OCP 4.12.0 but I guess it affects all versions of the OCP web console

How reproducible:

Open the URLs with curl or a web browser and check that directory/files are listed

Steps to Reproduce:

1.
2.
3.

Actual results:

Directories and files are listed

Expected results:

Web server should return a forbidden error

Additional info:

Assignee:: Jakub Hadvig

Reporter:: Florian Gleizes (Inactive)

QA Contact:: Sanket Pathak

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/02/15 1:50 PM

Updated:: 2023/08/09 10:45 AM

Resolved:: 2023/08/09 10:45 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates