A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
DescriptionDhananjay Arunesh
2023-06-27 13:45:35 UTC
The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:
GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches
The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators.
The first method should return a 403 in case the user doesn't have appropriate permissions.
The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information).
The methods require authentication, but once authenticated, any user can invoke them successfully.
The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions: GET /rest/v2/caches/{cacheName}?action=config GET /rest/v2/caches The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators. The first method should return a 403 in case the user doesn't have appropriate permissions. The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information). The methods require authentication, but once authenticated, any user can invoke them successfully.