Bug 2217926 (CVE-2023-3629)
| Summary: | CVE-2023-3629 infinispan: Non-admins should not be able to get cache config via REST API | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, fjuma, ivassile, iweiss, lgao, mosmerov, msochure, mstefank, msvehla, nwallace, pjindal, pmackay, rstancel, security-response-team, smaestri, tom.jenkinson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2217927 | ||
| Bug Blocks: | 2217923 | ||
This issue has been addressed in the following products: Red Hat Data Grid 8.4.4 Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396 |
The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions: GET /rest/v2/caches/{cacheName}?action=config GET /rest/v2/caches The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators. The first method should return a 403 in case the user doesn't have appropriate permissions. The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information). The methods require authentication, but once authenticated, any user can invoke them successfully.